From 33a4888438a37b3e17b9cf10510d948c612bbcc5 Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Fri, 2 May 2025 12:05:29 +0100 Subject: [PATCH 01/12] Add missing fields to auth config Signed-off-by: Shaza Aldawamneh --- config/v1/types_authentication.go | 91 +++++++++++++++++++++++++++---- 1 file changed, 79 insertions(+), 12 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index 52a41b2fef2..77451b04f37 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -243,6 +243,10 @@ type OIDCProvider struct { // +listType=atomic // +optional ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` + + // +optional + // userValidationRules provides the configuration for a single user validation rule. + UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"` } // +kubebuilder:validation:MinLength=1 @@ -291,8 +295,40 @@ type TokenIssuer struct { // // +optional CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"` + + // discoveryURL, if specified, overrides the URL used to fetch discovery + // information instead of using "{url}/.well-known/openid-configuration". + // The exact value specified is used, so "/.well-known/openid-configuration" + // must be included in discoveryURL if needed. Must be a valid https URL + // without query parameters, user info, or fragments. + // + // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? isURL(self) : true",message="discoveryURL must be a valid URL" + // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).scheme == 'https' : true",message="discoveryURL must use https scheme" + // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).query == '' : true",message="discoveryURL must not contain query parameters" + // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).user == '' : true",message="discoveryURL must not contain user info" + // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).fragment == '' : true",message="discoveryURL must not contain a fragment" + // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? (issuer.url.size() == 0 || self.find('^.+[^/]') != issuer.url.find('^.+[^/]')) : true",message="discoveryURL must be different from URL" + // + // +optional + DiscoveryURL string `json:"discoveryURL,omitempty"` + + // audienceMatchPolicy specifies how token audiences are matched. + // If omitted, the system applies a default policy. + // + // +optional + AudienceMatchPolicy AudienceMatchPolicy `json:"audienceMatchPolicy,omitempty"` } +// AudienceMatchPolicyType is a set of valid values for Issuer.AudienceMatchPolicy. +// +// +kubebuilder:validation:Enum=MatchAny;"" +type AudienceMatchPolicy string + +// Valid types for AudienceMatchPolicyType +const ( + AudienceMatchPolicyMatchAny AudienceMatchPolicy = "MatchAny" +) + type TokenClaimMappings struct { // username is a required field that configures how the username of a cluster identity // should be constructed from the claims in a JWT token issued by the identity provider. @@ -717,15 +753,23 @@ type PrefixedClaimMapping struct { Prefix string `json:"prefix"` } -// TokenValidationRuleType represents the different -// claim validation rule types that can be configured. -// +enum +// TokenValidationRuleType defines the type of token validation rule. +// +// +kubebuilder:validation:Enum=RequiredClaim;Expression type TokenValidationRuleType string const ( - TokenValidationRuleTypeRequiredClaim = "RequiredClaim" + TokenValidationRuleRequiredClaim TokenValidationRuleType = "RequiredClaim" + TokenValidationRuleExpression TokenValidationRuleType = "Expression" ) +// TokenClaimValidationRule represents a validation rule based on token claims. +// If type is RequiredClaim, requiredClaim must be set. +// If type is Expression, expressionRule must be set. +// +// +kubebuilder:validation:XValidation:rule="self.type != 'RequiredClaim' || has(self.requiredClaim)",message="requiredClaim must be set when type is 'RequiredClaim'" +// +kubebuilder:validation:XValidation:rule="self.type != 'Expression' || has(self.expressionRule)",message="expressionRule must be set when type is 'Expression'" + type TokenClaimValidationRule struct { // type is an optional field that configures the type of the validation rule. // @@ -742,19 +786,20 @@ type TokenClaimValidationRule struct { // +kubebuilder:default="RequiredClaim" Type TokenValidationRuleType `json:"type"` - // requiredClaim is an optional field that configures the required claim - // and value that the Kubernetes API server will use to validate if an incoming - // JWT is valid for this identity provider. + // requiredClaim allows configuring a required claim name and its expected value. + // RequiredClaim is used when type is RequiredClaim. + // +optional + RequiredClaim *TokenRequiredClaim `json:"requiredClaim"` + + // expressionRule contains the configuration for the "Expression" type. + // Must be set if type == "Expression". // // +optional - RequiredClaim *TokenRequiredClaim `json:"requiredClaim,omitempty"` + ExpressionRule *TokenExpressionRule `json:"expressionRule,omitempty"` } type TokenRequiredClaim struct { - // claim is a required field that configures the name of the required claim. - // When taken from the JWT claims, claim must be a string value. - // - // claim must not be an empty string (""). + // claim is a name of a required claim. Only claims with string values are supported. // // +kubebuilder:validation:MinLength=1 // +required @@ -771,3 +816,25 @@ type TokenRequiredClaim struct { // +required RequiredValue string `json:"requiredValue"` } + +type TokenExpressionRule struct { + // CEL expression to evaluate against token claims. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=4096 + Expression string `json:"expression"` + + // Optional message shown when the validation fails. + // +optional + Message string `json:"message,omitempty"` +} + +// UserValidationRule provides the configuration for a single user validation rule. +type TokenUserValidationRule struct { + // Expression must not exceed 4096 characters in length. + // Expression must not be empty. + // +optional + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=4096 + Expression string `json:"expression,omitempty"` + Message string `json:"message,omitempty"` +} From ed9dbb9993a36e223cc31efe3f4235e204ab6342 Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Tue, 6 May 2025 14:39:29 +0200 Subject: [PATCH 02/12] Refine API validations, improve GoDocs, and align with CEL and union conventions Signed-off-by: Shaza Aldawamneh --- config/v1/types_authentication.go | 73 ++++++++++++++++++++++--------- 1 file changed, 52 insertions(+), 21 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index 77451b04f37..6c6e52c6289 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -244,14 +244,20 @@ type OIDCProvider struct { // +optional ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` + // UserValidationRules defines the set of rules used to validate claims in a user’s token. + // These rules determine whether a token subject is considered valid based on its claims. + // Each rule is evaluated independently. + // See the TokenUserValidationRule type for more information on rule structure. // +optional - // userValidationRules provides the configuration for a single user validation rule. + + //+listType=atomic UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"` } // +kubebuilder:validation:MinLength=1 type TokenAudience string +// +kubebuilder:validation:XValidation:rule="self.discoveryURL.size() > 0 ? (self.url.size() == 0 || self.discoveryURL.find('^.+[^/]') != self.url.find('^.+[^/]')) : true",message="discoveryURL must be different from URL" type TokenIssuer struct { // issuerURL is a required field that configures the URL used to issue tokens // by the identity provider. @@ -296,24 +302,30 @@ type TokenIssuer struct { // +optional CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"` - // discoveryURL, if specified, overrides the URL used to fetch discovery - // information instead of using "{url}/.well-known/openid-configuration". - // The exact value specified is used, so "/.well-known/openid-configuration" - // must be included in discoveryURL if needed. Must be a valid https URL - // without query parameters, user info, or fragments. + // discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + // used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + // as "{url}/.well-known/openid-configuration". + // + // The discoveryURL must: + // - Be a valid absolute URL. + // - Use the HTTPS scheme. + // - Not contain query parameters, user info, or fragments. + // - Be different from the value of `url` (ignoring trailing slashes) // + // +optional // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? isURL(self) : true",message="discoveryURL must be a valid URL" // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).scheme == 'https' : true",message="discoveryURL must use https scheme" // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).query == '' : true",message="discoveryURL must not contain query parameters" // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).user == '' : true",message="discoveryURL must not contain user info" // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).fragment == '' : true",message="discoveryURL must not contain a fragment" - // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? (issuer.url.size() == 0 || self.find('^.+[^/]') != issuer.url.find('^.+[^/]')) : true",message="discoveryURL must be different from URL" - // - // +optional + // +kubebuilder:validation:MaxLength=2048 + DiscoveryURL string `json:"discoveryURL,omitempty"` // audienceMatchPolicy specifies how token audiences are matched. // If omitted, the system applies a default policy. + // Valid values are: + // - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. // // +optional AudienceMatchPolicy AudienceMatchPolicy `json:"audienceMatchPolicy,omitempty"` @@ -759,16 +771,16 @@ type PrefixedClaimMapping struct { type TokenValidationRuleType string const ( - TokenValidationRuleRequiredClaim TokenValidationRuleType = "RequiredClaim" - TokenValidationRuleExpression TokenValidationRuleType = "Expression" + TokenValidationRuleRequiredClaim = "RequiredClaim" + TokenValidationRuleExpression = "Expression" ) // TokenClaimValidationRule represents a validation rule based on token claims. // If type is RequiredClaim, requiredClaim must be set. // If type is Expression, expressionRule must be set. // -// +kubebuilder:validation:XValidation:rule="self.type != 'RequiredClaim' || has(self.requiredClaim)",message="requiredClaim must be set when type is 'RequiredClaim'" -// +kubebuilder:validation:XValidation:rule="self.type != 'Expression' || has(self.expressionRule)",message="expressionRule must be set when type is 'Expression'" +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'RequiredClaim' ? has(self.requiredClaim) : !has(self.requiredClaim)",message="requiredClaim must be set when type is 'RequiredClaim', and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Expression' ? has(self.expressionRule) : !has(self.expressionRule)",message="expressionRule must be set when type is 'Expression', and forbidden otherwise" type TokenClaimValidationRule struct { // type is an optional field that configures the type of the validation rule. @@ -782,7 +794,6 @@ type TokenClaimValidationRule struct { // // Defaults to 'RequiredClaim'. // - // +kubebuilder:validation:Enum={"RequiredClaim"} // +kubebuilder:default="RequiredClaim" Type TokenValidationRuleType `json:"type"` @@ -818,23 +829,43 @@ type TokenRequiredClaim struct { } type TokenExpressionRule struct { - // CEL expression to evaluate against token claims. + // Expression is a CEL expression evaluated against token claims. + // The expression must be a non-empty string and no longer than 4096 characters. + // This field is required. + // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=4096 + // +required Expression string `json:"expression"` - // Optional message shown when the validation fails. + // Message allows configuring the human-readable message that is returned + // from the Kubernetes API server when a token fails validation based on + // the CEL expression defined in 'expression'. This field is optional. + // // +optional + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 Message string `json:"message,omitempty"` } -// UserValidationRule provides the configuration for a single user validation rule. +// TokenUserValidationRule provides a CEL-based rule used to validate a token subject. +// Each rule contains a CEL expression that is evaluated against the token’s claims. +// If the expression evaluates to false, the token is rejected. +// See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. +// At least one rule must evaluate to true for the token to be considered valid. type TokenUserValidationRule struct { - // Expression must not exceed 4096 characters in length. - // Expression must not be empty. - // +optional + // Expression is a CEL expression that must evaluate + // to true for the token to be accepted. The expression is evaluated against the token's + // user information (e.g., username, groups). This field must be non-empty and may not + // exceed 4096 characters. + // + // +required // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=4096 Expression string `json:"expression,omitempty"` - Message string `json:"message,omitempty"` + // Message is an optional, human-readable message returned by the API server when + // this validation rule fails. It can help clarify why a token was rejected. + // + // +optional + Message string `json:"message,omitempty"` } From 2d755b707d02f8888f8feb7cc39e347754c97bad Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Fri, 9 May 2025 12:42:49 +0200 Subject: [PATCH 03/12] added tests for new auth config fields and created a feature-gate for those fields Signed-off-by: Shaza Aldawamneh --- .../ExternalOIDCAuthConfig.yaml | 330 + ...ations-Hypershift-CustomNoUpgrade.crd.yaml | 418 +- ...uthentications-Hypershift-Default.crd.yaml | 406 +- ...ns-Hypershift-DevPreviewNoUpgrade.crd.yaml | 418 +- ...s-Hypershift-TechPreviewNoUpgrade.crd.yaml | 418 +- ...ons-SelfManagedHA-CustomNoUpgrade.crd.yaml | 418 +- ...SelfManagedHA-DevPreviewNoUpgrade.crd.yaml | 418 +- ...elfManagedHA-TechPreviewNoUpgrade.crd.yaml | 418 +- config/v1/zz_generated.deepcopy.go | 42 + .../ExternalOIDC.yaml | 406 +- ...ernalOIDCWithUIDAndExtraClaimMappings.yaml | 418 +- .../v1/zz_generated.swagger_doc_generated.go | 294 +- features/features.go | 431 +- .../generated_openapi/zz_generated.openapi.go | 7717 ++++++++--------- openapi/openapi.json | 3160 +++---- ...ations-Hypershift-CustomNoUpgrade.crd.yaml | 418 +- ...uthentications-Hypershift-Default.crd.yaml | 406 +- ...ns-Hypershift-DevPreviewNoUpgrade.crd.yaml | 418 +- ...s-Hypershift-TechPreviewNoUpgrade.crd.yaml | 418 +- ...ons-SelfManagedHA-CustomNoUpgrade.crd.yaml | 418 +- ...SelfManagedHA-DevPreviewNoUpgrade.crd.yaml | 418 +- ...elfManagedHA-TechPreviewNoUpgrade.crd.yaml | 418 +- 22 files changed, 8383 insertions(+), 10243 deletions(-) create mode 100644 config/v1/tests/authentications.config.openshift.io/ExternalOIDCAuthConfig.yaml diff --git a/config/v1/tests/authentications.config.openshift.io/ExternalOIDCAuthConfig.yaml b/config/v1/tests/authentications.config.openshift.io/ExternalOIDCAuthConfig.yaml new file mode 100644 index 00000000000..65af2e3bc65 --- /dev/null +++ b/config/v1/tests/authentications.config.openshift.io/ExternalOIDCAuthConfig.yaml @@ -0,0 +1,330 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "Authentication" +crdName: authentications.config.openshift.io +featureGates: +- ExternalOIDCWithNewAuthConfigFields +tests: + onCreate: + # DiscoveryURL Tests + - name: Valid discoveryURL + initial: | + apiVersion: config.openshift.io/v1 + kind: TokenIssuer + spec: + issuerURL: https://auth.example.com/ + audiences: ['openshift-aud'] + discoveryURL: https://auth.example.com/.well-known/openid-configuration + + - name: discoveryURL must be a valid URL + initial: | + apiVersion: config.openshift.io/v1 + kind: TokenIssuer + spec: + issuerURL: https://auth.example.com/ + audiences: ['openshift-aud'] + discoveryURL: not-a-valid-url + error: "discoveryURL must be a valid URL" + + - name: discoveryURL must not contain user info + initial: | + apiVersion: config.openshift.io/v1 + kind: TokenIssuer + spec: + issuerURL: https://auth.example.com/ + audiences: ['openshift-aud'] + discoveryURL: https://user:pass@auth.example.com/ + error: "discoveryURL must not contain user info" + + - name: discoveryURL exceeds max length + initial: | + apiVersion: config.openshift.io/v1 + kind: TokenIssuer + spec: + issuerURL: https://auth.example.com/ + audiences: ['openshift-aud'] + discoveryURL: "https://auth.example.com/$(printf 'a%.0s' {1..2050})" + error: "discoveryURL: Too long" + + - name: discoveryURL must not contain fragment + initial: | + apiVersion: config.openshift.io/v1 + kind: TokenIssuer + spec: + issuerURL: https://auth.example.com/ + audiences: ['openshift-aud'] + discoveryURL: https://auth.example.com/#fragment + error: "discoveryURL must not contain a fragment" + + - name: discoveryURL must use https + initial: | + apiVersion: config.openshift.io/v1 + kind: TokenIssuer + spec: + issuerURL: https://auth.example.com/ + audiences: ['openshift-aud'] + discoveryURL: http://auth.example.com/invalid + error: "discoveryURL must use https scheme" + + - name: discoveryURL must not contain query + initial: | + apiVersion: config.openshift.io/v1 + kind: TokenIssuer + spec: + issuerURL: https://auth.example.com/ + audiences: ['openshift-aud'] + discoveryURL: https://auth.example.com/path?foo=bar + error: "discoveryURL must not contain query parameters" + + - name: discoveryURL must be different from URL + initial: | + apiVersion: config.openshift.io/v1 + kind: TokenIssuer + spec: + issuerURL: https://auth.example.com/ + audiences: ['openshift-aud'] + discoveryURL: https://auth.example.com/ + error: "discoveryURL must be different from URL" + + # AudienceMatchPolicy Tests + + - name: Valid AudienceMatchPolicy + initial: | + apiVersion: config.openshift.io/v1 + kind: TokenIssuer + spec: + issuerURL: https://auth.example.com + audiences: ['openshift-aud'] + audienceMatchPolicy: MatchAny + + - name: Invalid AudienceMatchPolicy + initial: | + apiVersion: config.openshift.io/v1 + kind: TokenIssuer + spec: + issuerURL: https://auth.example.com + audiences: ['openshift-aud'] + audienceMatchPolicy: InvalidPolicy + error: "audienceMatchPolicy: Unsupported value" + + # TokenClaimValidationRule Tests + - name: Valid RequiredClaim rule + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://auth.example.com + audiences: ['openshift-aud'] + claimValidationRules: + - type: RequiredClaim + requiredClaim: + claim: "role" + requiredValue: "admin" + + - name: Missing requiredClaim when type is RequiredClaim + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://auth.example.com + audiences: ['openshift-aud'] + claimValidationRules: + - type: RequiredClaim + expectedError: "requiredClaim must be set when type is 'RequiredClaim'" + + - name: Valid ExpressionRule configuration + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimValidationRules: + - type: Expression + expressionRule: + expression: "claims.email.endsWith('@example.com')" + message: "email must be from example.com" + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimValidationRules: + - type: Expression + expressionRule: + expression: "claims.email.endsWith('@example.com')" + message: "email must be from example.com" + + - name: Missing expressionRule for Expression type + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimValidationRules: + - type: Expression + expectedError: "expressionRule must be set when type is 'Expression', and forbidden otherwise" + + - name: Expression too long + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimValidationRules: + - type: Expression + expressionRule: + expression: "{{longExpression}}" + replacements: + longExpression: "{{'x' * 5000}}" + expectedError: "expression: Too long: must have at most 4096 characters" + + - name: Empty expression in expressionRule + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimValidationRules: + - type: Expression + expressionRule: + expression: "" + message: "must not be empty" + expectedError: "expression: Invalid value: \"\": validation failed: value length must be at least 1" + + # TokenUserValidationRule Tests + + - name: Valid TokenUserValidationRule with expression and message + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + userValidationRules: + - expression: "user.username.startsWith('admin')" + message: "Only admin users are allowed" + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + userValidationRules: + - expression: "user.username.startsWith('admin')" + message: "Only admin users are allowed" + + - name: Missing expression in TokenUserValidationRule + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + userValidationRules: + - message: "Should never reach here" + expectedError: "expression: Required value" + + - name: Expression too long in TokenUserValidationRule + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + userValidationRules: + - expression: "{{longExpression}}" + message: "This expression is too long" + replacements: + longExpression: "{{'x' * 5000}}" + expectedError: "expression: Too long: must have at most 4096 characters" + + - name: Empty expression in TokenUserValidationRule + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + userValidationRules: + - expression: "" + message: "Empty expressions are invalid" + expectedError: "expression: Invalid value: \"\": validation failed: value length must be at least 1" + + - name: Valid TokenUserValidationRule with expression only + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + userValidationRules: + - expression: "user.groups.exists(g, g == 'admins')" + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + userValidationRules: + - expression: "user.groups.exists(g, g == 'admins')" + diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml index 4f67bf9e0ca..bdd6b39e7e7 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml @@ -79,9 +79,8 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: extra: description: |- @@ -89,7 +88,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. + A maximum of 64 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -170,44 +169,38 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 1024 characters in length. + valueExpression must not exceed 4096 characters in length. valueExpression must not be empty. - maxLength: 1024 + maxLength: 4096 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 32 + maxItems: 64 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -255,8 +248,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 + and must not exceed 4096 characters in length. + maxLength: 4096 minLength: 1 type: string type: object @@ -266,33 +259,18 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -300,28 +278,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -336,40 +311,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -378,36 +362,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -415,17 +405,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -436,77 +437,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -517,34 +479,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -560,8 +509,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -685,29 +661,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -781,10 +744,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -796,37 +757,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml index 2a3b60571cb..50cb0d83385 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml @@ -79,34 +79,27 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -115,33 +108,18 @@ spec: type: object username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -149,28 +127,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -185,40 +160,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -227,36 +211,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -264,17 +254,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -285,77 +286,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -366,34 +328,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -409,8 +358,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -534,29 +510,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -630,10 +593,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -645,37 +606,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml index 195efce400b..2a12eec83b4 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml @@ -79,9 +79,8 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: extra: description: |- @@ -89,7 +88,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. + A maximum of 64 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -170,44 +169,38 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 1024 characters in length. + valueExpression must not exceed 4096 characters in length. valueExpression must not be empty. - maxLength: 1024 + maxLength: 4096 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 32 + maxItems: 64 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -255,8 +248,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 + and must not exceed 4096 characters in length. + maxLength: 4096 minLength: 1 type: string type: object @@ -266,33 +259,18 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -300,28 +278,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -336,40 +311,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -378,36 +362,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -415,17 +405,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -436,77 +437,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -517,34 +479,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -560,8 +509,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -685,29 +661,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -781,10 +744,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -796,37 +757,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml index 4e8c79c3201..ccfd29ab983 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -79,9 +79,8 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: extra: description: |- @@ -89,7 +88,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. + A maximum of 64 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -170,44 +169,38 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 1024 characters in length. + valueExpression must not exceed 4096 characters in length. valueExpression must not be empty. - maxLength: 1024 + maxLength: 4096 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 32 + maxItems: 64 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -255,8 +248,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 + and must not exceed 4096 characters in length. + maxLength: 4096 minLength: 1 type: string type: object @@ -266,33 +259,18 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -300,28 +278,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -336,40 +311,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -378,36 +362,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -415,17 +405,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -436,77 +437,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -517,34 +479,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -560,8 +509,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -685,29 +661,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -781,10 +744,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -796,37 +757,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml index 72c798fae70..384bf105a9a 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml @@ -79,9 +79,8 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: extra: description: |- @@ -89,7 +88,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. + A maximum of 64 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -170,44 +169,38 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 1024 characters in length. + valueExpression must not exceed 4096 characters in length. valueExpression must not be empty. - maxLength: 1024 + maxLength: 4096 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 32 + maxItems: 64 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -255,8 +248,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 + and must not exceed 4096 characters in length. + maxLength: 4096 minLength: 1 type: string type: object @@ -266,33 +259,18 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -300,28 +278,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -336,40 +311,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -378,36 +362,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -415,17 +405,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -436,77 +437,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -517,34 +479,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -560,8 +509,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -685,29 +661,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -781,10 +744,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -796,37 +757,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml index 998e804191f..9af68271f95 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml @@ -79,9 +79,8 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: extra: description: |- @@ -89,7 +88,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. + A maximum of 64 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -170,44 +169,38 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 1024 characters in length. + valueExpression must not exceed 4096 characters in length. valueExpression must not be empty. - maxLength: 1024 + maxLength: 4096 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 32 + maxItems: 64 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -255,8 +248,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 + and must not exceed 4096 characters in length. + maxLength: 4096 minLength: 1 type: string type: object @@ -266,33 +259,18 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -300,28 +278,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -336,40 +311,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -378,36 +362,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -415,17 +405,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -436,77 +437,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -517,34 +479,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -560,8 +509,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -685,29 +661,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -781,10 +744,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -796,37 +757,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml index 75446be6cca..4799299b92b 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml @@ -79,9 +79,8 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: extra: description: |- @@ -89,7 +88,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. + A maximum of 64 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -170,44 +169,38 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 1024 characters in length. + valueExpression must not exceed 4096 characters in length. valueExpression must not be empty. - maxLength: 1024 + maxLength: 4096 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 32 + maxItems: 64 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -255,8 +248,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 + and must not exceed 4096 characters in length. + maxLength: 4096 minLength: 1 type: string type: object @@ -266,33 +259,18 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -300,28 +278,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -336,40 +311,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -378,36 +362,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -415,17 +405,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -436,77 +437,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -517,34 +479,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -560,8 +509,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -685,29 +661,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -781,10 +744,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -796,37 +757,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index 788e10479b6..813defd181b 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -4599,6 +4599,11 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.UserValidationRules != nil { + in, out := &in.UserValidationRules, &out.UserValidationRules + *out = make([]TokenUserValidationRule, len(*in)) + copy(*out, *in) + } return } @@ -6230,6 +6235,11 @@ func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule) *out = new(TokenRequiredClaim) **out = **in } + if in.ExpressionRule != nil { + in, out := &in.ExpressionRule, &out.ExpressionRule + *out = new(TokenExpressionRule) + **out = **in + } return } @@ -6264,6 +6274,22 @@ func (in *TokenConfig) DeepCopy() *TokenConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TokenExpressionRule) DeepCopyInto(out *TokenExpressionRule) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenExpressionRule. +func (in *TokenExpressionRule) DeepCopy() *TokenExpressionRule { + if in == nil { + return nil + } + out := new(TokenExpressionRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenIssuer) DeepCopyInto(out *TokenIssuer) { *out = *in @@ -6302,6 +6328,22 @@ func (in *TokenRequiredClaim) DeepCopy() *TokenRequiredClaim { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TokenUserValidationRule) DeepCopyInto(out *TokenUserValidationRule) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenUserValidationRule. +func (in *TokenUserValidationRule) DeepCopy() *TokenUserValidationRule { + if in == nil { + return nil + } + out := new(TokenUserValidationRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Update) DeepCopyInto(out *Update) { *out = *in diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml index 06d4e0f041c..6f4246946e2 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml @@ -80,34 +80,27 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -116,33 +109,18 @@ spec: type: object username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -150,28 +128,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -186,40 +161,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -228,36 +212,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -265,17 +255,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -286,77 +287,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -367,34 +329,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -410,8 +359,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -535,29 +511,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -631,10 +594,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -646,37 +607,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index 34ed169f089..77b64e3562a 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -80,9 +80,8 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: extra: description: |- @@ -90,7 +89,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. + A maximum of 64 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -171,44 +170,38 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 1024 characters in length. + valueExpression must not exceed 4096 characters in length. valueExpression must not be empty. - maxLength: 1024 + maxLength: 4096 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 32 + maxItems: 64 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -256,8 +249,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 + and must not exceed 4096 characters in length. + maxLength: 4096 minLength: 1 type: string type: object @@ -267,33 +260,18 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -301,28 +279,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -337,40 +312,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -379,36 +363,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -416,17 +406,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -437,77 +438,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -518,34 +480,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -561,8 +510,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -686,29 +662,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -782,10 +745,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -797,37 +758,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index e3494151c66..566d03ff115 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -318,7 +318,7 @@ var map_APIServerSpec = map[string]string{ "clientCA": "clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. You usually only have to set this if you have your own PKI you wish to honor client certificates from. The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - ConfigMap.Data[\"ca-bundle.crt\"] - CA bundle.", "additionalCORSAllowedOrigins": "additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth server from JavaScript applications. The values are regular expressions that correspond to the Golang regular expression language.", "encryption": "encryption allows the configuration of encryption of resources at the datastore layer.", - "tlsSecurityProfile": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nWhen omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is the Intermediate profile.", + "tlsSecurityProfile": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nIf unset, a default (which may change between releases) is chosen. Note that only Old, Intermediate and Custom profiles are currently supported, and the maximum available minTLSVersion is VersionTLS12.", "audit": "audit specifies the settings for audit configuration to be applied to all OpenShift-provided API servers in the cluster.", } @@ -399,7 +399,7 @@ func (DeprecatedWebhookTokenAuthenticator) SwaggerDoc() map[string]string { var map_ExtraMapping = map[string]string{ "": "ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token.", "key": "key is a required field that specifies the string to use as the extra attribute key.\n\nkey must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. key must contain the '/' character, separating the domain and path characters. key must not be empty.\n\nThe domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. It must not exceed 253 characters in length. It must start and end with an alphanumeric character. It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, \"kubernetes.io\", \"k8s.io\", and \"openshift.io\".\n\nThe path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length.", - "valueExpression": "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 1024 characters in length. valueExpression must not be empty.", + "valueExpression": "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 4096 characters in length. valueExpression must not be empty.", } func (ExtraMapping) SwaggerDoc() map[string]string { @@ -407,12 +407,11 @@ func (ExtraMapping) SwaggerDoc() map[string]string { } var map_OIDCClientConfig = map[string]string{ - "": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", - "componentName": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", - "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", - "clientID": "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").", - "clientSecret": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", - "extraScopes": "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.", + "componentName": "componentName is the name of the component that is supposed to consume this client configuration", + "componentNamespace": "componentNamespace is the namespace of the component that is supposed to consume this client configuration", + "clientID": "clientID is the identifier of the OIDC client from the OIDC provider", + "clientSecret": "clientSecret refers to a secret in the `openshift-config` namespace that contains the client secret in the `clientSecret` key of the `.data` field", + "extraScopes": "extraScopes is an optional set of scopes to request tokens with.", } func (OIDCClientConfig) SwaggerDoc() map[string]string { @@ -420,10 +419,9 @@ func (OIDCClientConfig) SwaggerDoc() map[string]string { } var map_OIDCClientReference = map[string]string{ - "": "OIDCClientReference is a reference to a platform component client configuration.", - "oidcProviderName": "oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.\n\noidcProviderName must not be an empty string (\"\").", - "issuerURL": "issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.\n\nissuerURL must use the 'https' scheme.", - "clientID": "clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.\n\nclientID must not be empty.", + "oidcProviderName": "OIDCName refers to the `name` of the provider from `oidcProviders`", + "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", + "clientID": "clientID is the identifier of the OIDC client from the OIDC provider", } func (OIDCClientReference) SwaggerDoc() map[string]string { @@ -431,11 +429,10 @@ func (OIDCClientReference) SwaggerDoc() map[string]string { } var map_OIDCClientStatus = map[string]string{ - "": "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.", - "componentName": "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", - "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", - "currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", - "consumingUsers": "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.", + "componentName": "componentName is the name of the component that will consume a client configuration.", + "componentNamespace": "componentNamespace is the namespace of the component that will consume a client configuration.", + "currentOIDCClients": "currentOIDCClients is a list of clients that the component is currently using.", + "consumingUsers": "consumingUsers is a slice of ServiceAccounts that need to have read permission on the `clientSecret` secret.", "conditions": "conditions are used to communicate the state of the `oidcClients` entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.", } @@ -444,11 +441,11 @@ func (OIDCClientStatus) SwaggerDoc() map[string]string { } var map_OIDCProvider = map[string]string{ - "name": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", - "issuer": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", - "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", - "claimMappings": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", - "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", + "name": "name of the OIDC provider", + "issuer": "issuer describes atributes of the OIDC token issuer", + "oidcClients": "oidcClients contains configuration for the platform's clients that need to request tokens from the issuer", + "claimMappings": "claimMappings describes rules on how to transform information from an ID token into a cluster identity", + "claimValidationRules": "claimValidationRules are rules that are applied to validate token claims to authenticate users.", } func (OIDCProvider) SwaggerDoc() map[string]string { @@ -456,8 +453,7 @@ func (OIDCProvider) SwaggerDoc() map[string]string { } var map_PrefixedClaimMapping = map[string]string{ - "": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", - "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + "prefix": "prefix is a string to prefix the value from the token in the result of the claim mapping.\n\nBy default, no prefixing occurs.\n\nExample: if `prefix` is set to \"myoidc:\"\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", } func (PrefixedClaimMapping) SwaggerDoc() map[string]string { @@ -465,8 +461,7 @@ func (PrefixedClaimMapping) SwaggerDoc() map[string]string { } var map_TokenClaimMapping = map[string]string{ - "": "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", - "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", + "claim": "claim is a JWT token claim to be used in the mapping", } func (TokenClaimMapping) SwaggerDoc() map[string]string { @@ -474,10 +469,10 @@ func (TokenClaimMapping) SwaggerDoc() map[string]string { } var map_TokenClaimMappings = map[string]string{ - "username": "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.", - "groups": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", + "username": "username is a name of the claim that should be used to construct usernames for the cluster identity.\n\nDefault value: \"sub\"", + "groups": "groups is a name of the claim that should be used to construct groups for the cluster identity. The referenced claim must use array of strings values.", "uid": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.", - "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", + "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 64 extra attribute mappings may be provided.", } func (TokenClaimMappings) SwaggerDoc() map[string]string { @@ -487,7 +482,7 @@ func (TokenClaimMappings) SwaggerDoc() map[string]string { var map_TokenClaimOrExpressionMapping = map[string]string{ "": "TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities.", "claim": "claim is an optional field for specifying the JWT token claim that is used in the mapping. The value of this claim will be assigned to the field in which this mapping is associated.\n\nPrecisely one of claim or expression must be set. claim must not be specified when expression is set. When specified, claim must be at least 1 character in length and must not exceed 256 characters in length.", - "expression": "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length.", + "expression": "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 4096 characters in length.", } func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string { @@ -495,18 +490,29 @@ func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string { } var map_TokenClaimValidationRule = map[string]string{ - "type": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.", - "requiredClaim": "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.", + "type": "type sets the type of the validation rule", + "requiredClaim": "requiredClaim allows configuring a required claim name and its expected value. RequiredClaim is used when type is RequiredClaim.", + "expressionRule": "expressionRule contains the configuration for the \"Expression\" type. Must be set if type == \"Expression\".", } func (TokenClaimValidationRule) SwaggerDoc() map[string]string { return map_TokenClaimValidationRule } +var map_TokenExpressionRule = map[string]string{ + "expression": "Expression is a CEL expression evaluated against token claims. The expression must be a non-empty string and no longer than 4096 characters. This field is required.", + "message": "Message allows configuring the human-readable message that is returned from the Kubernetes API server when a token fails validation based on the CEL expression defined in 'expression'. This field is optional.", +} + +func (TokenExpressionRule) SwaggerDoc() map[string]string { + return map_TokenExpressionRule +} + var map_TokenIssuer = map[string]string{ - "issuerURL": "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nMust be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.", - "audiences": "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", - "issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", + "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", + "audiences": "audiences is an array of audiences that the token was issued for. Valid tokens must include at least one of these values in their \"aud\" claim. Must be set to exactly one value.", + "issuerCertificateAuthority": "CertificateAuthority is a reference to a config map in the configuration namespace. The .data of the configMap must contain the \"ca-bundle.crt\" key. If unset, system trust is used instead.", + "audienceMatchPolicy": "audienceMatchPolicy specifies how token audiences are matched. If omitted, the system applies a default policy. Valid values are: - \"MatchAny\": The token is accepted if any of its audiences match any of the configured audiences.", } func (TokenIssuer) SwaggerDoc() map[string]string { @@ -514,31 +520,30 @@ func (TokenIssuer) SwaggerDoc() map[string]string { } var map_TokenRequiredClaim = map[string]string{ - "claim": "claim is a required field that configures the name of the required claim. When taken from the JWT claims, claim must be a string value.\n\nclaim must not be an empty string (\"\").", - "requiredValue": "requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. If the value in the JWT claims does not match, the token will be rejected for authentication.\n\nrequiredValue must not be an empty string (\"\").", + "claim": "claim is a name of a required claim. Only claims with string values are supported.", + "requiredValue": "requiredValue is the required value for the claim.", } func (TokenRequiredClaim) SwaggerDoc() map[string]string { return map_TokenRequiredClaim } -var map_UsernameClaimMapping = map[string]string{ - "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", - "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", - "prefix": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", +var map_TokenUserValidationRule = map[string]string{ + "": "TokenUserValidationRule provides a CEL-based rule used to validate a token subject. Each rule contains a CEL expression that is evaluated against the token’s claims. If the expression evaluates to false, the token is rejected. See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. At least one rule must evaluate to true for the token to be considered valid.", + "expression": "Expression is a CEL expression that must evaluate to true for the token to be accepted. The expression is evaluated against the token's user information (e.g., username, groups). This field must be non-empty and may not exceed 4096 characters.", + "message": "Message is an optional, human-readable message returned by the API server when this validation rule fails. It can help clarify why a token was rejected.", } -func (UsernameClaimMapping) SwaggerDoc() map[string]string { - return map_UsernameClaimMapping +func (TokenUserValidationRule) SwaggerDoc() map[string]string { + return map_TokenUserValidationRule } -var map_UsernamePrefix = map[string]string{ - "": "UsernamePrefix configures the string that should be used as a prefix for username claim mappings.", - "prefixString": "prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.\n\nprefixString must not be an empty string (\"\").", +var map_UsernameClaimMapping = map[string]string{ + "prefixPolicy": "prefixPolicy specifies how a prefix should apply.\n\nBy default, claims other than `email` will be prefixed with the issuer URL to prevent naming clashes with other plugins.\n\nSet to \"NoPrefix\" to disable prefixing.\n\nExample:\n (1) `prefix` is set to \"myoidc:\" and `claim` is set to \"username\".\n If the JWT claim `username` contains value `userA`, the resulting\n mapped value will be \"myoidc:userA\".\n (2) `prefix` is set to \"myoidc:\" and `claim` is set to \"email\". If the\n JWT `email` claim contains value \"userA@myoidc.tld\", the resulting\n mapped value will be \"myoidc:userA@myoidc.tld\".\n (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n (a) \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n (b) \"email\": the mapped value will be \"userA@myoidc.tld\"", } -func (UsernamePrefix) SwaggerDoc() map[string]string { - return map_UsernamePrefix +func (UsernameClaimMapping) SwaggerDoc() map[string]string { + return map_UsernameClaimMapping } var map_WebhookTokenAuthenticator = map[string]string{ @@ -611,47 +616,8 @@ func (ImageLabel) SwaggerDoc() map[string]string { return map_ImageLabel } -var map_ClusterImagePolicy = map[string]string{ - "": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "spec": "spec contains the configuration for the cluster image policy.", - "status": "status contains the observed state of the resource.", -} - -func (ClusterImagePolicy) SwaggerDoc() map[string]string { - return map_ClusterImagePolicy -} - -var map_ClusterImagePolicyList = map[string]string{ - "": "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "items": "items is a list of ClusterImagePolices", -} - -func (ClusterImagePolicyList) SwaggerDoc() map[string]string { - return map_ClusterImagePolicyList -} - -var map_ClusterImagePolicySpec = map[string]string{ - "": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", - "scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", - "policy": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", -} - -func (ClusterImagePolicySpec) SwaggerDoc() map[string]string { - return map_ClusterImagePolicySpec -} - -var map_ClusterImagePolicyStatus = map[string]string{ - "conditions": "conditions provide details on the status of this API Resource.", -} - -func (ClusterImagePolicyStatus) SwaggerDoc() map[string]string { - return map_ClusterImagePolicyStatus -} - var map_ClusterOperator = map[string]string{ - "": "ClusterOperator holds the status of a core or optional OpenShift component managed by the Cluster Version Operator (CVO). This object is used by operators to convey their state to the rest of the cluster. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "": "ClusterOperator is the Custom Resource object which holds the current state of an operator. This object is used by operators to convey their state to the rest of the cluster.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", "spec": "spec holds configuration that could apply to any operator.", "status": "status holds the information about the state of an operator. It is consistent with status information across the Kubernetes ecosystem.", @@ -779,7 +745,7 @@ var map_ClusterVersionSpec = map[string]string{ "clusterID": "clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal values). This is a required field.", "desiredUpdate": "desiredUpdate is an optional field that indicates the desired value of the cluster version. Setting this value will trigger an upgrade (if the current version does not match the desired version). The set of recommended update values is listed as part of available updates in status, and setting values outside that range may cause the upgrade to fail.\n\nSome of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. 7. image is not specified, version is not specified, architecture is specified. API validation error. 8. image is not specified, version is not specified, architecture is not specified. API validation error.\n\nIf an upgrade fails the operator will halt and report status about the failing component. Setting the desired update value back to the previous version will cause a rollback to be attempted. Not all rollbacks will succeed.", "upstream": "upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region.", - "channel": "channel is an identifier for explicitly requesting a non-default set of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters.", + "channel": "channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters.", "capabilities": "capabilities configures the installation of optional, core cluster components. A null value here is identical to an empty object; see the child properties for default semantics.", "signatureStores": "signatureStores contains the upstream URIs to verify release signatures and optional reference to a config map by name containing the PEM-encoded CA bundle.\n\nBy default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually.\n\nA maximum of 32 signature stores may be configured.", "overrides": "overrides is list of overides for components that are managed by cluster version operator. Marking a component unmanaged will prevent the operator from creating or updating the object.", @@ -893,7 +859,7 @@ var map_UpdateHistory = map[string]string{ "version": "version is a semantic version identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty.", "image": "image is a container image location that contains the update. This value is always populated.", "verified": "verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted. Verified does not cover upgradeable checks that depend on the cluster state at the time when the update target was accepted.", - "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overriden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", } func (UpdateHistory) SwaggerDoc() map[string]string { @@ -1214,147 +1180,6 @@ func (ImageDigestMirrors) SwaggerDoc() map[string]string { return map_ImageDigestMirrors } -var map_FulcioCAWithRekor = map[string]string{ - "": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - "fulcioCAData": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ", - "rekorKeyData": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", - "fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", -} - -func (FulcioCAWithRekor) SwaggerDoc() map[string]string { - return map_FulcioCAWithRekor -} - -var map_ImagePolicy = map[string]string{ - "": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "spec": "spec holds user settable values for configuration", - "status": "status contains the observed state of the resource.", -} - -func (ImagePolicy) SwaggerDoc() map[string]string { - return map_ImagePolicy -} - -var map_ImagePolicyList = map[string]string{ - "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "items": "items is a list of ImagePolicies", -} - -func (ImagePolicyList) SwaggerDoc() map[string]string { - return map_ImagePolicyList -} - -var map_ImagePolicySpec = map[string]string{ - "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", - "scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", - "policy": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", -} - -func (ImagePolicySpec) SwaggerDoc() map[string]string { - return map_ImagePolicySpec -} - -var map_ImagePolicyStatus = map[string]string{ - "conditions": "conditions provide details on the status of this API Resource. condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.", -} - -func (ImagePolicyStatus) SwaggerDoc() map[string]string { - return map_ImagePolicyStatus -} - -var map_PKI = map[string]string{ - "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", - "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", - "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", -} - -func (PKI) SwaggerDoc() map[string]string { - return map_PKI -} - -var map_PKICertificateSubject = map[string]string{ - "": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - "email": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email must be a valid email address and at most 320 characters in length.", - "hostname": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", -} - -func (PKICertificateSubject) SwaggerDoc() map[string]string { - return map_PKICertificateSubject -} - -var map_Policy = map[string]string{ - "": "Policy defines the verification policy for the items in the scopes list.", - "rootOfTrust": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", - "signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", -} - -func (Policy) SwaggerDoc() map[string]string { - return map_Policy -} - -var map_PolicyFulcioSubject = map[string]string{ - "": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", - "oidcIssuer": "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", - "signedEmail": "signedEmail is a required field holds the email address that the Fulcio certificate is issued for. The signedEmail must be a valid email address and at most 320 characters in length. Example: \"expected-signing-user@example.com\"", -} - -func (PolicyFulcioSubject) SwaggerDoc() map[string]string { - return map_PolicyFulcioSubject -} - -var map_PolicyIdentity = map[string]string{ - "": "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", - "matchPolicy": "matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. Allowed values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". When set to \"MatchRepoDigestOrExact\", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. When set to \"MatchRepository\", the identity in the signature must be in the same repository as the image identity. When set to \"ExactRepository\", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by \"repository\". When set to \"RemapIdentity\", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", - "exactRepository": "exactRepository specifies the repository that must be exactly matched by the identity in the signature. exactRepository is required if matchPolicy is set to \"ExactRepository\". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.", - "remapIdentity": "remapIdentity specifies the prefix remapping rule for verifying image identity. remapIdentity is required if matchPolicy is set to \"RemapIdentity\". It is used to verify that the signature claims a different registry/repository prefix than the original image.", -} - -func (PolicyIdentity) SwaggerDoc() map[string]string { - return map_PolicyIdentity -} - -var map_PolicyMatchExactRepository = map[string]string{ - "repository": "repository is the reference of the image identity to be matched. repository is required if matchPolicy is set to \"ExactRepository\". The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", -} - -func (PolicyMatchExactRepository) SwaggerDoc() map[string]string { - return map_PolicyMatchExactRepository -} - -var map_PolicyMatchRemapIdentity = map[string]string{ - "prefix": "prefix is required if matchPolicy is set to \"RemapIdentity\". prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", - "signedPrefix": "signedPrefix is required if matchPolicy is set to \"RemapIdentity\". signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", -} - -func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { - return map_PolicyMatchRemapIdentity -} - -var map_PolicyRootOfTrust = map[string]string{ - "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - "policyType": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", - "publicKey": "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", - "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", - "pki": "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", -} - -func (PolicyRootOfTrust) SwaggerDoc() map[string]string { - return map_PolicyRootOfTrust -} - -var map_PublicKey = map[string]string{ - "": "PublicKey defines the root of trust based on a sigstore public key.", - "keyData": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ", - "rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", -} - -func (PublicKey) SwaggerDoc() map[string]string { - return map_PublicKey -} - var map_ImageTagMirrorSet = map[string]string{ "": "ImageTagMirrorSet holds cluster-wide information about how to handle registry mirror rules on using tag pull specification. When multiple policies are defined, the outcome of the behavior is defined on each field.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -1480,7 +1305,6 @@ var map_AzurePlatformStatus = map[string]string{ "cloudName": "cloudName is the name of the Azure cloud environment which can be used to configure the Azure SDK with the appropriate Azure API endpoints. If empty, the value is equal to `AzurePublicCloud`.", "armEndpoint": "armEndpoint specifies a URL to use for resource management in non-soverign clouds such as Azure Stack.", "resourceTags": "resourceTags is a list of additional tags to apply to Azure resources created for the cluster. See https://docs.microsoft.com/en-us/rest/api/resources/tags for information on tagging Azure resources. Due to limitations on Automation, Content Delivery Network, DNS Azure resources, a maximum of 15 tags may be applied. OpenShift reserves 5 tags for internal use, allowing 10 tags for user configuration.", - "cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", } func (AzurePlatformStatus) SwaggerDoc() map[string]string { @@ -1613,7 +1437,7 @@ var map_GCPPlatformStatus = map[string]string{ "resourceLabels": "resourceLabels is a list of additional labels to apply to GCP resources created for the cluster. See https://cloud.google.com/compute/docs/labeling-resources for information on labeling GCP resources. GCP supports a maximum of 64 labels per resource. OpenShift reserves 32 labels for internal use, allowing 32 labels for user configuration.", "resourceTags": "resourceTags is a list of additional tags to apply to GCP resources created for the cluster. See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on tagging GCP resources. GCP supports a maximum of 50 tags per resource.", "cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", - "serviceEndpoints": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 11.", + "serviceEndpoints": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 9.", } func (GCPPlatformStatus) SwaggerDoc() map[string]string { @@ -1653,7 +1477,7 @@ func (GCPServiceEndpoint) SwaggerDoc() map[string]string { var map_IBMCloudPlatformSpec = map[string]string{ "": "IBMCloudPlatformSpec holds the desired state of the IBMCloud infrastructure provider. This only includes fields that can be modified in the cluster.", - "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", + "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", } func (IBMCloudPlatformSpec) SwaggerDoc() map[string]string { @@ -1667,7 +1491,7 @@ var map_IBMCloudPlatformStatus = map[string]string{ "providerType": "providerType indicates the type of cluster that was created", "cisInstanceCRN": "cisInstanceCRN is the CRN of the Cloud Internet Services instance managing the DNS zone for the cluster's base domain", "dnsInstanceCRN": "dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone for the cluster's base domain", - "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", + "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", } func (IBMCloudPlatformStatus) SwaggerDoc() map[string]string { diff --git a/features/features.go b/features/features.go index 231bad62b67..e1e65eb4836 100644 --- a/features/features.go +++ b/features/features.go @@ -52,12 +52,12 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateMutatingAdmissionPolicy = newFeatureGate("MutatingAdmissionPolicy"). + FeatureGateValidatingAdmissionPolicy = newFeatureGate("ValidatingAdmissionPolicy"). reportProblemsToJiraComponent("kube-apiserver"). contactPerson("benluddy"). productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/3962"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enhancementPR("https://github.com/kubernetes/enhancements/issues/3488"). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateGatewayAPI = newFeatureGate("GatewayAPI"). @@ -92,16 +92,22 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - // OpenShift and Node Team will keep this turned off until evictions and - // disk provisioning are fixed even though upstream will take this GA. FeatureGateNodeSwap = newFeatureGate("NodeSwap"). reportProblemsToJiraComponent("node"). - contactPerson("haircommander"). + contactPerson("ehashman"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/2400"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateMachineAPIProviderOpenStack = newFeatureGate("MachineAPIProviderOpenStack"). + reportProblemsToJiraComponent("openstack"). + contactPerson("egarcia"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateInsightsConfigAPI = newFeatureGate("InsightsConfigAPI"). reportProblemsToJiraComponent("insights"). contactPerson("tremes"). @@ -110,6 +116,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateInsightsRuntimeExtractor = newFeatureGate("InsightsRuntimeExtractor"). + reportProblemsToJiraComponent("insights"). + contactPerson("jmesnil"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateDynamicResourceAllocation = newFeatureGate("DynamicResourceAllocation"). reportProblemsToJiraComponent("scheduling"). contactPerson("jchaloup"). @@ -126,14 +140,6 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateAzureDedicatedHosts = newFeatureGate("AzureDedicatedHosts"). - reportProblemsToJiraComponent("installer"). - contactPerson("rvanderp3"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1783"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateMaxUnavailableStatefulSet = newFeatureGate("MaxUnavailableStatefulSet"). reportProblemsToJiraComponent("apps"). contactPerson("atiratree"). @@ -149,12 +155,20 @@ var ( enhancementPR("https://github.com/kubernetes/enhancements/issues/3386"). mustRegister() + FeatureGatePrivateHostedZoneAWS = newFeatureGate("PrivateHostedZoneAWS"). + reportProblemsToJiraComponent("Routing"). + contactPerson("miciah"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateSigstoreImageVerification = newFeatureGate("SigstoreImageVerification"). reportProblemsToJiraComponent("node"). contactPerson("sgrunert"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateSigstoreImageVerificationPKI = newFeatureGate("SigstoreImageVerificationPKI"). @@ -162,9 +176,17 @@ var ( contactPerson("QiWang"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1658"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade). mustRegister() + FeatureGateGCPLabelsTags = newFeatureGate("GCPLabelsTags"). + reportProblemsToJiraComponent("Installer"). + contactPerson("bhb"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateAlibabaPlatform = newFeatureGate("AlibabaPlatform"). reportProblemsToJiraComponent("cloud-provider"). contactPerson("jspeed"). @@ -173,6 +195,14 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateCloudDualStackNodeIPs = newFeatureGate("CloudDualStackNodeIPs"). + reportProblemsToJiraComponent("machine-config-operator/platform-baremetal"). + contactPerson("mkowalsk"). + productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/3705"). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateVSphereHostVMGroupZonal = newFeatureGate("VSphereHostVMGroupZonal"). reportProblemsToJiraComponent("splat"). contactPerson("jcpowermac"). @@ -186,6 +216,14 @@ var ( contactPerson("vr4manta"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1709"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateVSphereMultiVCenters = newFeatureGate("VSphereMultiVCenters"). + reportProblemsToJiraComponent("splat"). + contactPerson("vr4manta"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -234,7 +272,7 @@ var ( contactPerson("jcaamano"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateNetworkLiveMigration = newFeatureGate("NetworkLiveMigration"). @@ -261,6 +299,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateHardwareSpeed = newFeatureGate("HardwareSpeed"). + reportProblemsToJiraComponent("etcd"). + contactPerson("hasbro17"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateBackendQuotaGiB = newFeatureGate("EtcdBackendQuota"). reportProblemsToJiraComponent("etcd"). contactPerson("hasbro17"). @@ -294,20 +340,12 @@ var ( FeatureGateMachineConfigNodes = newFeatureGate("MachineConfigNodes"). reportProblemsToJiraComponent("MachineConfigOperator"). - contactPerson("ijanssen"). + contactPerson("cdoern"). productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1765"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateImageModeStatusReporting = newFeatureGate("ImageModeStatusReporting"). - reportProblemsToJiraComponent("MachineConfigOperator"). - contactPerson("ijanssen"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1809"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateClusterAPIInstall = newFeatureGate("ClusterAPIInstall"). reportProblemsToJiraComponent("Installer"). contactPerson("vincepri"). @@ -331,14 +369,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateAzureClusterHostedDNSInstall = newFeatureGate("AzureClusterHostedDNSInstall"). - reportProblemsToJiraComponent("Installer"). - contactPerson("sadasu"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1468"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateMixedCPUsAllocation = newFeatureGate("MixedCPUsAllocation"). reportProblemsToJiraComponent("NodeTuningOperator"). contactPerson("titzhak"). @@ -363,29 +393,21 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateManagedBootImagesvSphere = newFeatureGate("ManagedBootImagesvSphere"). - reportProblemsToJiraComponent("MachineConfigOperator"). - contactPerson("rsaini"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1496"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateManagedBootImagesAzure = newFeatureGate("ManagedBootImagesAzure"). - reportProblemsToJiraComponent("MachineConfigOperator"). - contactPerson("djoshy"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1761"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() + FeatureGateDisableKubeletCloudCredentialProviders = newFeatureGate("DisableKubeletCloudCredentialProviders"). + reportProblemsToJiraComponent("cloud-provider"). + contactPerson("jspeed"). + productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/2395"). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() - FeatureGateBootImageSkewEnforcement = newFeatureGate("BootImageSkewEnforcement"). - reportProblemsToJiraComponent("MachineConfigOperator"). - contactPerson("djoshy"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1761"). - enableIn(configv1.DevPreviewNoUpgrade). - mustRegister() + FeatureGateOnClusterBuild = newFeatureGate("OnClusterBuild"). + reportProblemsToJiraComponent("MachineConfigOperator"). + contactPerson("cheesesashimi"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() FeatureGateBootcNodeManagement = newFeatureGate("BootcNodeManagement"). reportProblemsToJiraComponent("MachineConfigOperator"). @@ -413,10 +435,10 @@ var ( FeatureGatePinnedImages = newFeatureGate("PinnedImages"). reportProblemsToJiraComponent("MachineConfigOperator"). - contactPerson("RishabhSaini"). + contactPerson("jhernand"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateUpgradeStatus = newFeatureGate("UpgradeStatus"). @@ -424,7 +446,7 @@ var ( contactPerson("pmuller"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateTranslateStreamCloseWebsocketRequests = newFeatureGate("TranslateStreamCloseWebsocketRequests"). @@ -451,14 +473,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateExternalSnapshotMetadata = newFeatureGate("ExternalSnapshotMetadata"). - reportProblemsToJiraComponent("Storage / Kubernetes External Components"). - contactPerson("jdobson"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/3314"). - enableIn(configv1.DevPreviewNoUpgrade). - mustRegister() - FeatureGateExternalOIDC = newFeatureGate("ExternalOIDC"). reportProblemsToJiraComponent("authentication"). contactPerson("liouk"). @@ -477,6 +491,15 @@ var ( enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateExternalOIDCWithNewAuthConfigFields = newFeatureGate("ExternalOIDCWithNewAuthConfigFields"). + reportProblemsToJiraComponent("authentication"). + contactPerson("saldawam"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1763"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateExample = newFeatureGate("Example"). reportProblemsToJiraComponent("cluster-config"). contactPerson("deads"). @@ -493,6 +516,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade). mustRegister() + FeatureGatePlatformOperators = newFeatureGate("PlatformOperators"). + reportProblemsToJiraComponent("olm"). + contactPerson("joe"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateNewOLM = newFeatureGate("NewOLM"). reportProblemsToJiraComponent("olm"). contactPerson("joe"). @@ -525,14 +556,6 @@ var ( enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateNewOLMWebhookProviderOpenshiftServiceCA = newFeatureGate("NewOLMWebhookProviderOpenshiftServiceCA"). - reportProblemsToJiraComponent("olm"). - contactPerson("pegoncal"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1799"). - enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateInsightsOnDemandDataGather = newFeatureGate("InsightsOnDemandDataGather"). reportProblemsToJiraComponent("insights"). contactPerson("tremes"). @@ -541,6 +564,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateBareMetalLoadBalancer = newFeatureGate("BareMetalLoadBalancer"). + reportProblemsToJiraComponent("metal"). + contactPerson("EmilienM"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateInsightsConfig = newFeatureGate("InsightsConfig"). reportProblemsToJiraComponent("insights"). contactPerson("tremes"). @@ -549,6 +580,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateNodeDisruptionPolicy = newFeatureGate("NodeDisruptionPolicy"). + reportProblemsToJiraComponent("MachineConfigOperator"). + contactPerson("jerzhang"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateMetricsCollectionProfiles = newFeatureGate("MetricsCollectionProfiles"). reportProblemsToJiraComponent("Monitoring"). contactPerson("rexagod"). @@ -557,6 +596,14 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateVSphereDriverConfiguration = newFeatureGate("VSphereDriverConfiguration"). + reportProblemsToJiraComponent("Storage / Kubernetes External Components"). + contactPerson("rbednar"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateClusterAPIInstallIBMCloud = newFeatureGate("ClusterAPIInstallIBMCloud"). reportProblemsToJiraComponent("Installer"). contactPerson("cjschaef"). @@ -565,6 +612,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateChunkSizeMiB = newFeatureGate("ChunkSizeMiB"). + reportProblemsToJiraComponent("Image Registry"). + contactPerson("flavianmissi"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateMachineAPIMigration = newFeatureGate("MachineAPIMigration"). reportProblemsToJiraComponent("OCPCLOUD"). contactPerson("jspeed"). @@ -573,12 +628,12 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateClusterAPIMachineManagementVSphere = newFeatureGate("ClusterAPIMachineManagementVSphere"). - reportProblemsToJiraComponent("SPLAT"). - contactPerson("jcpowermac"). + FeatureGatePersistentIPsForVirtualization = newFeatureGate("PersistentIPsForVirtualization"). + reportProblemsToJiraComponent("CNV Network"). + contactPerson("mduarted"). productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1465"). - enableIn(configv1.DevPreviewNoUpgrade). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateClusterMonitoringConfig = newFeatureGate("ClusterMonitoringConfig"). @@ -589,6 +644,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateMultiArchInstallAWS = newFeatureGate("MultiArchInstallAWS"). + reportProblemsToJiraComponent("Installer"). + contactPerson("r4f4"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateMultiArchInstallAzure = newFeatureGate("MultiArchInstallAzure"). reportProblemsToJiraComponent("Installer"). contactPerson("r4f4"). @@ -596,6 +659,14 @@ var ( enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() + FeatureGateMultiArchInstallGCP = newFeatureGate("MultiArchInstallGCP"). + reportProblemsToJiraComponent("Installer"). + contactPerson("r4f4"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateIngressControllerLBSubnetsAWS = newFeatureGate("IngressControllerLBSubnetsAWS"). reportProblemsToJiraComponent("Routing"). contactPerson("miciah"). @@ -604,6 +675,14 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateAWSEFSDriverVolumeMetrics = newFeatureGate("AWSEFSDriverVolumeMetrics"). + reportProblemsToJiraComponent("Storage / Kubernetes External Components"). + contactPerson("fbertina"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateImageStreamImportMode = newFeatureGate("ImageStreamImportMode"). reportProblemsToJiraComponent("Multi-Arch"). contactPerson("psundara"). @@ -617,18 +696,15 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - // Note: this feature is perma-alpha, but it is safe and desireable to enable. - // It was an oversight in upstream to not remove the feature gate after the version skew became safe in 1.33. - // See https://github.com/kubernetes/enhancements/tree/d4226c42/keps/sig-node/127-user-namespaces#pod-security-standards-pss-integration FeatureGateUserNamespacesPodSecurityStandards = newFeatureGate("UserNamespacesPodSecurityStandards"). reportProblemsToJiraComponent("Node"). contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateProcMountType = newFeatureGate("ProcMountType"). @@ -636,7 +712,7 @@ var ( contactPerson("haircommander"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/4265"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateVSphereMultiNetworks = newFeatureGate("VSphereMultiNetworks"). @@ -644,7 +720,7 @@ var ( contactPerson("rvanderp"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateIngressControllerDynamicConfigurationManager = newFeatureGate("IngressControllerDynamicConfigurationManager"). @@ -684,15 +760,18 @@ var ( contactPerson("eggfoobar"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1674"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). - mustRegister() + // TODO: Do not go GA until jira issue is resolved: https://issues.redhat.com/browse/OCPEDGE-1637 + // Annotations must correctly handle either DualReplica or HighlyAvailableArbiter going GA with + // the other still in TechPreview. + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() FeatureGateCVOConfiguration = newFeatureGate("ClusterVersionOperatorConfiguration"). reportProblemsToJiraComponent("Cluster Version Operator"). contactPerson("dhurta"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1492"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade). mustRegister() FeatureGateGCPCustomAPIEndpoints = newFeatureGate("GCPCustomAPIEndpoints"). @@ -711,12 +790,20 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateSELinuxChangePolicy = newFeatureGate("SELinuxChangePolicy"). + reportProblemsToJiraComponent("Storage / Kubernetes"). + contactPerson("jsafrane"). + productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/1710"). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() + FeatureGateSELinuxMount = newFeatureGate("SELinuxMount"). reportProblemsToJiraComponent("Storage / Kubernetes"). contactPerson("jsafrane"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/1710"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade). mustRegister() FeatureGateDualReplica = newFeatureGate("DualReplica"). @@ -724,8 +811,11 @@ var ( contactPerson("jaypoulz"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1675"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() + // TODO: Do not go GA until jira issue is resolved: https://issues.redhat.com/browse/OCPEDGE-1637 + // Annotations must correctly handle either DualReplica or HighlyAvailableArbiter going GA with + // the other still in TechPreview. + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() FeatureGateGatewayAPIController = newFeatureGate("GatewayAPIController"). reportProblemsToJiraComponent("Routing"). @@ -754,155 +844,4 @@ var ( enhancementPR("https://github.com/openshift/enhancements/pull/1748"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - - FeatureGateAzureMultiDisk = newFeatureGate("AzureMultiDisk"). - reportProblemsToJiraComponent("splat"). - contactPerson("jcpowermac"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1779"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateStoragePerformantSecurityPolicy = newFeatureGate("StoragePerformantSecurityPolicy"). - reportProblemsToJiraComponent("Storage / Kubernetes External Components"). - contactPerson("hekumar"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1804"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). - mustRegister() - - FeatureGateMultiDiskSetup = newFeatureGate("MultiDiskSetup"). - reportProblemsToJiraComponent("splat"). - contactPerson("jcpowermac"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1805"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateAWSDedicatedHosts = newFeatureGate("AWSDedicatedHosts"). - reportProblemsToJiraComponent("Installer"). - contactPerson("faermanj"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1781"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateVSphereMixedNodeEnv = newFeatureGate("VSphereMixedNodeEnv"). - reportProblemsToJiraComponent("splat"). - contactPerson("vr4manta"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1772"). - enableIn(configv1.DevPreviewNoUpgrade). - mustRegister() - - FeatureGatePreconfiguredUDNAddresses = newFeatureGate("PreconfiguredUDNAddresses"). - reportProblemsToJiraComponent("Networking/ovn-kubernetes"). - contactPerson("kyrtapz"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1793"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateAWSServiceLBNetworkSecurityGroup = newFeatureGate("AWSServiceLBNetworkSecurityGroup"). - reportProblemsToJiraComponent("Cloud Compute / Cloud Controller Manager"). - contactPerson("mtulio"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1802"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateImageVolume = newFeatureGate("ImageVolume"). - reportProblemsToJiraComponent("Node"). - contactPerson("haircommander"). - productScope(kubernetes). - enhancementPR("https://github.com/openshift/enhancements/pull/1792"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). - mustRegister() - - FeatureGateNoRegistryClusterOperations = newFeatureGate("NoRegistryClusterOperations"). - reportProblemsToJiraComponent("Installer / Agent based installation"). - contactPerson("andfasano"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1821"). - enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateGCPClusterHostedDNSInstall = newFeatureGate("GCPClusterHostedDNSInstall"). - reportProblemsToJiraComponent("Installer"). - contactPerson("barbacbd"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1468"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateAWSClusterHostedDNSInstall = newFeatureGate("AWSClusterHostedDNSInstall"). - reportProblemsToJiraComponent("Installer"). - contactPerson("barbacbd"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1468"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateGCPCustomAPIEndpointsInstall = newFeatureGate("GCPCustomAPIEndpointsInstall"). - reportProblemsToJiraComponent("Installer"). - contactPerson("barbacbd"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1492"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateIrreconcilableMachineConfig = newFeatureGate("IrreconcilableMachineConfig"). - reportProblemsToJiraComponent("MachineConfigOperator"). - contactPerson("pabrodri"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1785"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateAWSDualStackInstall = newFeatureGate("AWSDualStackInstall"). - reportProblemsToJiraComponent("Installer"). - contactPerson("sadasu"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1806"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateAzureDualStackInstall = newFeatureGate("AzureDualStackInstall"). - reportProblemsToJiraComponent("Installer"). - contactPerson("jhixson74"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1806"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureGateGCPDualStackInstall = newFeatureGate("GCPDualStackInstall"). - reportProblemsToJiraComponent("Installer"). - contactPerson("barbacbd"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1806"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureCBORServingAndStorage = newFeatureGate("CBORServingAndStorage"). - reportProblemsToJiraComponent("kube-apiserver"). - contactPerson("benluddy"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/4222"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureCBORClientsAllowCBOR = newFeatureGate("ClientsAllowCBOR"). - reportProblemsToJiraComponent("kube-apiserver"). - contactPerson("benluddy"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/4222"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - - FeatureClientsPreferCBOR = newFeatureGate("ClientsPreferCBOR"). - reportProblemsToJiraComponent("kube-apiserver"). - contactPerson("benluddy"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/4222"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() ) diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 77124efe23c..ba6a1f74d03 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -185,10 +185,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.CloudLoadBalancerConfig": schema_openshift_api_config_v1_CloudLoadBalancerConfig(ref), "github.com/openshift/api/config/v1.CloudLoadBalancerIPs": schema_openshift_api_config_v1_CloudLoadBalancerIPs(ref), "github.com/openshift/api/config/v1.ClusterCondition": schema_openshift_api_config_v1_ClusterCondition(ref), - "github.com/openshift/api/config/v1.ClusterImagePolicy": schema_openshift_api_config_v1_ClusterImagePolicy(ref), - "github.com/openshift/api/config/v1.ClusterImagePolicyList": schema_openshift_api_config_v1_ClusterImagePolicyList(ref), - "github.com/openshift/api/config/v1.ClusterImagePolicySpec": schema_openshift_api_config_v1_ClusterImagePolicySpec(ref), - "github.com/openshift/api/config/v1.ClusterImagePolicyStatus": schema_openshift_api_config_v1_ClusterImagePolicyStatus(ref), "github.com/openshift/api/config/v1.ClusterNetworkEntry": schema_openshift_api_config_v1_ClusterNetworkEntry(ref), "github.com/openshift/api/config/v1.ClusterOperator": schema_openshift_api_config_v1_ClusterOperator(ref), "github.com/openshift/api/config/v1.ClusterOperatorList": schema_openshift_api_config_v1_ClusterOperatorList(ref), @@ -241,7 +237,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.FeatureGateSpec": schema_openshift_api_config_v1_FeatureGateSpec(ref), "github.com/openshift/api/config/v1.FeatureGateStatus": schema_openshift_api_config_v1_FeatureGateStatus(ref), "github.com/openshift/api/config/v1.FeatureGateTests": schema_openshift_api_config_v1_FeatureGateTests(ref), - "github.com/openshift/api/config/v1.FulcioCAWithRekor": schema_openshift_api_config_v1_FulcioCAWithRekor(ref), "github.com/openshift/api/config/v1.GCPPlatformSpec": schema_openshift_api_config_v1_GCPPlatformSpec(ref), "github.com/openshift/api/config/v1.GCPPlatformStatus": schema_openshift_api_config_v1_GCPPlatformStatus(ref), "github.com/openshift/api/config/v1.GCPResourceLabel": schema_openshift_api_config_v1_GCPResourceLabel(ref), @@ -272,10 +267,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.ImageDigestMirrors": schema_openshift_api_config_v1_ImageDigestMirrors(ref), "github.com/openshift/api/config/v1.ImageLabel": schema_openshift_api_config_v1_ImageLabel(ref), "github.com/openshift/api/config/v1.ImageList": schema_openshift_api_config_v1_ImageList(ref), - "github.com/openshift/api/config/v1.ImagePolicy": schema_openshift_api_config_v1_ImagePolicy(ref), - "github.com/openshift/api/config/v1.ImagePolicyList": schema_openshift_api_config_v1_ImagePolicyList(ref), - "github.com/openshift/api/config/v1.ImagePolicySpec": schema_openshift_api_config_v1_ImagePolicySpec(ref), - "github.com/openshift/api/config/v1.ImagePolicyStatus": schema_openshift_api_config_v1_ImagePolicyStatus(ref), "github.com/openshift/api/config/v1.ImageSpec": schema_openshift_api_config_v1_ImageSpec(ref), "github.com/openshift/api/config/v1.ImageStatus": schema_openshift_api_config_v1_ImageStatus(ref), "github.com/openshift/api/config/v1.ImageTagMirrorSet": schema_openshift_api_config_v1_ImageTagMirrorSet(ref), @@ -351,16 +342,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.OvirtPlatformLoadBalancer": schema_openshift_api_config_v1_OvirtPlatformLoadBalancer(ref), "github.com/openshift/api/config/v1.OvirtPlatformSpec": schema_openshift_api_config_v1_OvirtPlatformSpec(ref), "github.com/openshift/api/config/v1.OvirtPlatformStatus": schema_openshift_api_config_v1_OvirtPlatformStatus(ref), - "github.com/openshift/api/config/v1.PKI": schema_openshift_api_config_v1_PKI(ref), - "github.com/openshift/api/config/v1.PKICertificateSubject": schema_openshift_api_config_v1_PKICertificateSubject(ref), "github.com/openshift/api/config/v1.PlatformSpec": schema_openshift_api_config_v1_PlatformSpec(ref), "github.com/openshift/api/config/v1.PlatformStatus": schema_openshift_api_config_v1_PlatformStatus(ref), - "github.com/openshift/api/config/v1.Policy": schema_openshift_api_config_v1_Policy(ref), - "github.com/openshift/api/config/v1.PolicyFulcioSubject": schema_openshift_api_config_v1_PolicyFulcioSubject(ref), - "github.com/openshift/api/config/v1.PolicyIdentity": schema_openshift_api_config_v1_PolicyIdentity(ref), - "github.com/openshift/api/config/v1.PolicyMatchExactRepository": schema_openshift_api_config_v1_PolicyMatchExactRepository(ref), - "github.com/openshift/api/config/v1.PolicyMatchRemapIdentity": schema_openshift_api_config_v1_PolicyMatchRemapIdentity(ref), - "github.com/openshift/api/config/v1.PolicyRootOfTrust": schema_openshift_api_config_v1_PolicyRootOfTrust(ref), "github.com/openshift/api/config/v1.PowerVSPlatformSpec": schema_openshift_api_config_v1_PowerVSPlatformSpec(ref), "github.com/openshift/api/config/v1.PowerVSPlatformStatus": schema_openshift_api_config_v1_PowerVSPlatformStatus(ref), "github.com/openshift/api/config/v1.PowerVSServiceEndpoint": schema_openshift_api_config_v1_PowerVSServiceEndpoint(ref), @@ -375,7 +358,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.ProxyList": schema_openshift_api_config_v1_ProxyList(ref), "github.com/openshift/api/config/v1.ProxySpec": schema_openshift_api_config_v1_ProxySpec(ref), "github.com/openshift/api/config/v1.ProxyStatus": schema_openshift_api_config_v1_ProxyStatus(ref), - "github.com/openshift/api/config/v1.PublicKey": schema_openshift_api_config_v1_PublicKey(ref), "github.com/openshift/api/config/v1.RegistryLocation": schema_openshift_api_config_v1_RegistryLocation(ref), "github.com/openshift/api/config/v1.RegistrySources": schema_openshift_api_config_v1_RegistrySources(ref), "github.com/openshift/api/config/v1.Release": schema_openshift_api_config_v1_Release(ref), @@ -404,8 +386,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.TokenClaimOrExpressionMapping": schema_openshift_api_config_v1_TokenClaimOrExpressionMapping(ref), "github.com/openshift/api/config/v1.TokenClaimValidationRule": schema_openshift_api_config_v1_TokenClaimValidationRule(ref), "github.com/openshift/api/config/v1.TokenConfig": schema_openshift_api_config_v1_TokenConfig(ref), + "github.com/openshift/api/config/v1.TokenExpressionRule": schema_openshift_api_config_v1_TokenExpressionRule(ref), "github.com/openshift/api/config/v1.TokenIssuer": schema_openshift_api_config_v1_TokenIssuer(ref), "github.com/openshift/api/config/v1.TokenRequiredClaim": schema_openshift_api_config_v1_TokenRequiredClaim(ref), + "github.com/openshift/api/config/v1.TokenUserValidationRule": schema_openshift_api_config_v1_TokenUserValidationRule(ref), "github.com/openshift/api/config/v1.Update": schema_openshift_api_config_v1_Update(ref), "github.com/openshift/api/config/v1.UpdateHistory": schema_openshift_api_config_v1_UpdateHistory(ref), "github.com/openshift/api/config/v1.UsernameClaimMapping": schema_openshift_api_config_v1_UsernameClaimMapping(ref), @@ -422,9 +406,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.VSpherePlatformTopology": schema_openshift_api_config_v1_VSpherePlatformTopology(ref), "github.com/openshift/api/config/v1.VSpherePlatformVCenterSpec": schema_openshift_api_config_v1_VSpherePlatformVCenterSpec(ref), "github.com/openshift/api/config/v1.WebhookTokenAuthenticator": schema_openshift_api_config_v1_WebhookTokenAuthenticator(ref), - "github.com/openshift/api/config/v1alpha1.AlertmanagerConfig": schema_openshift_api_config_v1alpha1_AlertmanagerConfig(ref), - "github.com/openshift/api/config/v1alpha1.AlertmanagerCustomConfig": schema_openshift_api_config_v1alpha1_AlertmanagerCustomConfig(ref), - "github.com/openshift/api/config/v1alpha1.Audit": schema_openshift_api_config_v1alpha1_Audit(ref), "github.com/openshift/api/config/v1alpha1.Backup": schema_openshift_api_config_v1alpha1_Backup(ref), "github.com/openshift/api/config/v1alpha1.BackupList": schema_openshift_api_config_v1alpha1_BackupList(ref), "github.com/openshift/api/config/v1alpha1.BackupSpec": schema_openshift_api_config_v1alpha1_BackupSpec(ref), @@ -437,7 +418,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.ClusterMonitoringList": schema_openshift_api_config_v1alpha1_ClusterMonitoringList(ref), "github.com/openshift/api/config/v1alpha1.ClusterMonitoringSpec": schema_openshift_api_config_v1alpha1_ClusterMonitoringSpec(ref), "github.com/openshift/api/config/v1alpha1.ClusterMonitoringStatus": schema_openshift_api_config_v1alpha1_ClusterMonitoringStatus(ref), - "github.com/openshift/api/config/v1alpha1.ContainerResource": schema_openshift_api_config_v1alpha1_ContainerResource(ref), "github.com/openshift/api/config/v1alpha1.EtcdBackupSpec": schema_openshift_api_config_v1alpha1_EtcdBackupSpec(ref), "github.com/openshift/api/config/v1alpha1.FulcioCAWithRekor": schema_openshift_api_config_v1alpha1_FulcioCAWithRekor(ref), "github.com/openshift/api/config/v1alpha1.GatherConfig": schema_openshift_api_config_v1alpha1_GatherConfig(ref), @@ -449,7 +429,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.InsightsDataGatherList": schema_openshift_api_config_v1alpha1_InsightsDataGatherList(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherSpec": schema_openshift_api_config_v1alpha1_InsightsDataGatherSpec(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherStatus": schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref), - "github.com/openshift/api/config/v1alpha1.MetricsServerConfig": schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref), "github.com/openshift/api/config/v1alpha1.PKI": schema_openshift_api_config_v1alpha1_PKI(ref), "github.com/openshift/api/config/v1alpha1.PKICertificateSubject": schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref), "github.com/openshift/api/config/v1alpha1.PersistentVolumeClaimReference": schema_openshift_api_config_v1alpha1_PersistentVolumeClaimReference(ref), @@ -591,20 +570,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/insights/v1alpha1.PersistentVolumeClaimReference": schema_openshift_api_insights_v1alpha1_PersistentVolumeClaimReference(ref), "github.com/openshift/api/insights/v1alpha1.PersistentVolumeConfig": schema_openshift_api_insights_v1alpha1_PersistentVolumeConfig(ref), "github.com/openshift/api/insights/v1alpha1.Storage": schema_openshift_api_insights_v1alpha1_Storage(ref), - "github.com/openshift/api/insights/v1alpha2.Custom": schema_openshift_api_insights_v1alpha2_Custom(ref), - "github.com/openshift/api/insights/v1alpha2.DataGather": schema_openshift_api_insights_v1alpha2_DataGather(ref), - "github.com/openshift/api/insights/v1alpha2.DataGatherList": schema_openshift_api_insights_v1alpha2_DataGatherList(ref), - "github.com/openshift/api/insights/v1alpha2.DataGatherSpec": schema_openshift_api_insights_v1alpha2_DataGatherSpec(ref), - "github.com/openshift/api/insights/v1alpha2.DataGatherStatus": schema_openshift_api_insights_v1alpha2_DataGatherStatus(ref), - "github.com/openshift/api/insights/v1alpha2.GathererConfig": schema_openshift_api_insights_v1alpha2_GathererConfig(ref), - "github.com/openshift/api/insights/v1alpha2.GathererStatus": schema_openshift_api_insights_v1alpha2_GathererStatus(ref), - "github.com/openshift/api/insights/v1alpha2.Gatherers": schema_openshift_api_insights_v1alpha2_Gatherers(ref), - "github.com/openshift/api/insights/v1alpha2.HealthCheck": schema_openshift_api_insights_v1alpha2_HealthCheck(ref), - "github.com/openshift/api/insights/v1alpha2.InsightsReport": schema_openshift_api_insights_v1alpha2_InsightsReport(ref), - "github.com/openshift/api/insights/v1alpha2.ObjectReference": schema_openshift_api_insights_v1alpha2_ObjectReference(ref), - "github.com/openshift/api/insights/v1alpha2.PersistentVolumeClaimReference": schema_openshift_api_insights_v1alpha2_PersistentVolumeClaimReference(ref), - "github.com/openshift/api/insights/v1alpha2.PersistentVolumeConfig": schema_openshift_api_insights_v1alpha2_PersistentVolumeConfig(ref), - "github.com/openshift/api/insights/v1alpha2.Storage": schema_openshift_api_insights_v1alpha2_Storage(ref), "github.com/openshift/api/kubecontrolplane/v1.AggregatorConfig": schema_openshift_api_kubecontrolplane_v1_AggregatorConfig(ref), "github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerConfig": schema_openshift_api_kubecontrolplane_v1_KubeAPIServerConfig(ref), "github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerImagePolicyConfig": schema_openshift_api_kubecontrolplane_v1_KubeAPIServerImagePolicyConfig(ref), @@ -823,6 +788,9 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/machine/v1beta1.VSphereMachineProviderSpec": schema_openshift_api_machine_v1beta1_VSphereMachineProviderSpec(ref), "github.com/openshift/api/machine/v1beta1.VSphereMachineProviderStatus": schema_openshift_api_machine_v1beta1_VSphereMachineProviderStatus(ref), "github.com/openshift/api/machine/v1beta1.Workspace": schema_openshift_api_machine_v1beta1_Workspace(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.BuildInputs": schema_openshift_api_machineconfiguration_v1alpha1_BuildInputs(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.BuildOutputs": schema_openshift_api_machineconfiguration_v1alpha1_BuildOutputs(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference": schema_openshift_api_machineconfiguration_v1alpha1_ImageSecretObjectReference(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference": schema_openshift_api_machineconfiguration_v1alpha1_MCOObjectReference(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNode": schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNode(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeList": schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeList(ref), @@ -831,11 +799,26 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatus": schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatus(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusMachineConfigVersion": schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatusMachineConfigVersion(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusPinnedImageSet": schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatusPinnedImageSet(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigPoolReference": schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigPoolReference(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuild": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuild(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildList": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildList(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildSpec": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildSpec(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildStatus": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildStatus(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuilderReference": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuilderReference(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfig": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfig(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigList": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigList(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigReference": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigReference(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigSpec": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigSpec(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigStatus": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigStatus(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSContainerfile": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSContainerfile(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSImageBuilder": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSImageBuilder(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.ObjectReference": schema_openshift_api_machineconfiguration_v1alpha1_ObjectReference(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.PinnedImageRef": schema_openshift_api_machineconfiguration_v1alpha1_PinnedImageRef(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.PinnedImageSet": schema_openshift_api_machineconfiguration_v1alpha1_PinnedImageSet(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.PinnedImageSetList": schema_openshift_api_machineconfiguration_v1alpha1_PinnedImageSetList(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.PinnedImageSetSpec": schema_openshift_api_machineconfiguration_v1alpha1_PinnedImageSetSpec(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.PinnedImageSetStatus": schema_openshift_api_machineconfiguration_v1alpha1_PinnedImageSetStatus(ref), + "github.com/openshift/api/machineconfiguration/v1alpha1.RenderedMachineConfigReference": schema_openshift_api_machineconfiguration_v1alpha1_RenderedMachineConfigReference(ref), "github.com/openshift/api/monitoring/v1.AlertRelabelConfig": schema_openshift_api_monitoring_v1_AlertRelabelConfig(ref), "github.com/openshift/api/monitoring/v1.AlertRelabelConfigList": schema_openshift_api_monitoring_v1_AlertRelabelConfigList(ref), "github.com/openshift/api/monitoring/v1.AlertRelabelConfigSpec": schema_openshift_api_monitoring_v1_AlertRelabelConfigSpec(ref), @@ -1020,7 +1003,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/operator/v1.InsightsOperatorSpec": schema_openshift_api_operator_v1_InsightsOperatorSpec(ref), "github.com/openshift/api/operator/v1.InsightsOperatorStatus": schema_openshift_api_operator_v1_InsightsOperatorStatus(ref), "github.com/openshift/api/operator/v1.InsightsReport": schema_openshift_api_operator_v1_InsightsReport(ref), - "github.com/openshift/api/operator/v1.IrreconcilableValidationOverrides": schema_openshift_api_operator_v1_IrreconcilableValidationOverrides(ref), "github.com/openshift/api/operator/v1.KubeAPIServer": schema_openshift_api_operator_v1_KubeAPIServer(ref), "github.com/openshift/api/operator/v1.KubeAPIServerList": schema_openshift_api_operator_v1_KubeAPIServerList(ref), "github.com/openshift/api/operator/v1.KubeAPIServerSpec": schema_openshift_api_operator_v1_KubeAPIServerSpec(ref), @@ -1201,6 +1183,12 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/osin/v1.SessionSecret": schema_openshift_api_osin_v1_SessionSecret(ref), "github.com/openshift/api/osin/v1.SessionSecrets": schema_openshift_api_osin_v1_SessionSecrets(ref), "github.com/openshift/api/osin/v1.TokenConfig": schema_openshift_api_osin_v1_TokenConfig(ref), + "github.com/openshift/api/platform/v1alpha1.ActiveBundleDeployment": schema_openshift_api_platform_v1alpha1_ActiveBundleDeployment(ref), + "github.com/openshift/api/platform/v1alpha1.Package": schema_openshift_api_platform_v1alpha1_Package(ref), + "github.com/openshift/api/platform/v1alpha1.PlatformOperator": schema_openshift_api_platform_v1alpha1_PlatformOperator(ref), + "github.com/openshift/api/platform/v1alpha1.PlatformOperatorList": schema_openshift_api_platform_v1alpha1_PlatformOperatorList(ref), + "github.com/openshift/api/platform/v1alpha1.PlatformOperatorSpec": schema_openshift_api_platform_v1alpha1_PlatformOperatorSpec(ref), + "github.com/openshift/api/platform/v1alpha1.PlatformOperatorStatus": schema_openshift_api_platform_v1alpha1_PlatformOperatorStatus(ref), "github.com/openshift/api/project/v1.Project": schema_openshift_api_project_v1_Project(ref), "github.com/openshift/api/project/v1.ProjectList": schema_openshift_api_project_v1_ProjectList(ref), "github.com/openshift/api/project/v1.ProjectRequest": schema_openshift_api_project_v1_ProjectRequest(ref), @@ -1418,7 +1406,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "k8s.io/api/core/v1.NodeSelectorTerm": schema_k8sio_api_core_v1_NodeSelectorTerm(ref), "k8s.io/api/core/v1.NodeSpec": schema_k8sio_api_core_v1_NodeSpec(ref), "k8s.io/api/core/v1.NodeStatus": schema_k8sio_api_core_v1_NodeStatus(ref), - "k8s.io/api/core/v1.NodeSwapStatus": schema_k8sio_api_core_v1_NodeSwapStatus(ref), "k8s.io/api/core/v1.NodeSystemInfo": schema_k8sio_api_core_v1_NodeSystemInfo(ref), "k8s.io/api/core/v1.ObjectFieldSelector": schema_k8sio_api_core_v1_ObjectFieldSelector(ref), "k8s.io/api/core/v1.ObjectReference": schema_k8sio_api_core_v1_ObjectReference(ref), @@ -2538,6 +2525,7 @@ func schema_openshift_api_apps_v1_DeploymentConfigStatus(ref common.ReferenceCal }, }, }, + Required: []string{"latestVersion", "observedGeneration", "replicas", "updatedReplicas", "availableReplicas", "unavailableReplicas"}, }, }, Dependencies: []string{ @@ -5100,6 +5088,7 @@ func schema_openshift_api_authorization_v1_SubjectRulesReviewStatus(ref common.R }, }, }, + Required: []string{"rules"}, }, }, Dependencies: []string{ @@ -5669,6 +5658,7 @@ func schema_openshift_api_build_v1_BuildConfigStatus(ref common.ReferenceCallbac }, }, }, + Required: []string{"lastVersion"}, }, }, Dependencies: []string{ @@ -6378,6 +6368,7 @@ func schema_openshift_api_build_v1_BuildStatus(ref common.ReferenceCallback) com }, }, }, + Required: []string{"phase"}, }, }, Dependencies: []string{ @@ -8541,7 +8532,7 @@ func schema_openshift_api_config_v1_APIServerSpec(ref common.ReferenceCallback) }, "tlsSecurityProfile": { SchemaProps: spec.SchemaProps{ - Description: "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nWhen omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is the Intermediate profile.", + Description: "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nIf unset, a default (which may change between releases) is chosen. Note that only Old, Intermediate and Custom profiles are currently supported, and the maximum available minTLSVersion is VersionTLS12.", Ref: ref("github.com/openshift/api/config/v1.TLSSecurityProfile"), }, }, @@ -8601,7 +8592,6 @@ func schema_openshift_api_config_v1_AWSIngressSpec(ref common.ReferenceCallback) "type": { SchemaProps: spec.SchemaProps{ Description: "type allows user to set a load balancer type. When this field is set the default ingresscontroller will get created using the specified LBType. If this field is not set then the default ingress controller of LBType Classic will be created. Valid values are:\n\n* \"Classic\": A Classic Load Balancer that makes routing decisions at either\n the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See\n the following for additional details:\n\n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb\n\n* \"NLB\": A Network Load Balancer that makes routing decisions at the\n transport layer (TCP/SSL). See the following for additional details:\n\n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb", - Default: "", Type: []string{"string"}, Format: "", }, @@ -9153,7 +9143,6 @@ func schema_openshift_api_config_v1_AuditCustomRule(ref common.ReferenceCallback "profile": { SchemaProps: spec.SchemaProps{ Description: "profile specifies the name of the desired audit policy configuration to be deployed to all OpenShift-provided API servers in the cluster.\n\nThe following profiles are provided: - Default: the existing default policy. - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for write requests (create, update, patch). - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response HTTP payloads for read requests (get, list). - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.\n\nIf unset, the 'Default' profile is used as the default.", - Default: "", Type: []string{"string"}, Format: "", }, @@ -9387,6 +9376,7 @@ func schema_openshift_api_config_v1_AuthenticationStatus(ref common.ReferenceCal }, }, }, + Required: []string{"integratedOAuthMetadata", "oidcClients"}, }, }, Dependencies: []string{ @@ -9460,19 +9450,12 @@ func schema_openshift_api_config_v1_AzurePlatformStatus(ref common.ReferenceCall }, }, }, - "cloudLoadBalancerConfig": { - SchemaProps: spec.SchemaProps{ - Description: "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", - Default: map[string]interface{}{"dnsType": "PlatformDefault"}, - Ref: ref("github.com/openshift/api/config/v1.CloudLoadBalancerConfig"), - }, - }, }, Required: []string{"resourceGroupName"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.AzureResourceTag", "github.com/openshift/api/config/v1.CloudLoadBalancerConfig"}, + "github.com/openshift/api/config/v1.AzureResourceTag"}, } } @@ -10254,11 +10237,40 @@ func schema_openshift_api_config_v1_ClusterCondition(ref common.ReferenceCallbac } } -func schema_openshift_api_config_v1_ClusterImagePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_ClusterNetworkEntry(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "cidr": { + SchemaProps: spec.SchemaProps{ + Description: "The complete block for pod IPs.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "hostPrefix": { + SchemaProps: spec.SchemaProps{ + Description: "The size (prefix) of block to allocate to each node. If this field is not used by the plugin, it can be left unset.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + }, + Required: []string{"cidr"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_ClusterOperator(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterOperator is the Custom Resource object which holds the current state of an operator. This object is used by operators to convey their state to the rest of the cluster.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -10284,32 +10296,32 @@ func schema_openshift_api_config_v1_ClusterImagePolicy(ref common.ReferenceCallb }, "spec": { SchemaProps: spec.SchemaProps{ - Description: "spec contains the configuration for the cluster image policy.", + Description: "spec holds configuration that could apply to any operator.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterImagePolicySpec"), + Ref: ref("github.com/openshift/api/config/v1.ClusterOperatorSpec"), }, }, "status": { SchemaProps: spec.SchemaProps{ - Description: "status contains the observed state of the resource.", + Description: "status holds the information about the state of an operator. It is consistent with status information across the Kubernetes ecosystem.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterImagePolicyStatus"), + Ref: ref("github.com/openshift/api/config/v1.ClusterOperatorStatus"), }, }, }, - Required: []string{"spec"}, + Required: []string{"metadata", "spec"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.ClusterImagePolicySpec", "github.com/openshift/api/config/v1.ClusterImagePolicyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/config/v1.ClusterOperatorSpec", "github.com/openshift/api/config/v1.ClusterOperatorStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_config_v1_ClusterImagePolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_ClusterOperatorList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "ClusterOperatorList is a list of OperatorStatus resources.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -10335,13 +10347,12 @@ func schema_openshift_api_config_v1_ClusterImagePolicyList(ref common.ReferenceC }, "items": { SchemaProps: spec.SchemaProps{ - Description: "items is a list of ClusterImagePolices", - Type: []string{"array"}, + Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterImagePolicy"), + Ref: ref("github.com/openshift/api/config/v1.ClusterOperator"), }, }, }, @@ -10352,123 +10363,151 @@ func schema_openshift_api_config_v1_ClusterImagePolicyList(ref common.ReferenceC }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.ClusterImagePolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + "github.com/openshift/api/config/v1.ClusterOperator", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_config_v1_ClusterImagePolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_ClusterOperatorSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", + Description: "ClusterOperatorSpec is empty for now, but you could imagine holding information like \"pause\".", + Type: []string{"object"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_ClusterOperatorStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterOperatorStatus provides information about the status of the operator.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "scopes": { + "conditions": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ - "x-kubernetes-list-type": "set", + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge", }, }, SchemaProps: spec.SchemaProps{ - Description: "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + Description: "conditions describes the state of the operator's managed and monitored components.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ClusterOperatorStatusCondition"), }, }, }, }, }, - "policy": { + "versions": { SchemaProps: spec.SchemaProps{ - Description: "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.Policy"), - }, - }, - }, - Required: []string{"scopes", "policy"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.Policy"}, - } -} - -func schema_openshift_api_config_v1_ClusterImagePolicyStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", + Description: "versions is a slice of operator and operand version tuples. Operators which manage multiple operands will have multiple operand entries in the array. Available operators must report the version of the operator itself with the name \"operator\". An operator reports a new \"operator\" version when it has rolled out the new version to all of its operands.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.OperandVersion"), + }, }, - "x-kubernetes-list-type": "map", }, }, + }, + "relatedObjects": { SchemaProps: spec.SchemaProps{ - Description: "conditions provide details on the status of this API Resource.", + Description: "relatedObjects is a list of objects that are \"interesting\" or related to this operator. Common uses are: 1. the detailed resource driving the operator 2. operator namespaces 3. operand namespaces", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + Ref: ref("github.com/openshift/api/config/v1.ObjectReference"), }, }, }, }, }, + "extension": { + SchemaProps: spec.SchemaProps{ + Description: "extension contains any additional status information specific to the operator which owns this status object.", + Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + }, + }, }, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + "github.com/openshift/api/config/v1.ClusterOperatorStatusCondition", "github.com/openshift/api/config/v1.ObjectReference", "github.com/openshift/api/config/v1.OperandVersion", "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } -func schema_openshift_api_config_v1_ClusterNetworkEntry(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_ClusterOperatorStatusCondition(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", + Description: "ClusterOperatorStatusCondition represents the state of the operator's managed and monitored components.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "cidr": { + "type": { SchemaProps: spec.SchemaProps{ - Description: "The complete block for pod IPs.", + Description: "type specifies the aspect reported by this condition.", Default: "", Type: []string{"string"}, Format: "", }, }, - "hostPrefix": { + "status": { SchemaProps: spec.SchemaProps{ - Description: "The size (prefix) of block to allocate to each node. If this field is not used by the plugin, it can be left unset.", - Type: []string{"integer"}, - Format: "int64", + Description: "status of the condition, one of True, False, Unknown.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "lastTransitionTime": { + SchemaProps: spec.SchemaProps{ + Description: "lastTransitionTime is the time of the last update to the current status property.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + }, + }, + "reason": { + SchemaProps: spec.SchemaProps{ + Description: "reason is the CamelCase reason for the condition's current status.", + Type: []string{"string"}, + Format: "", + }, + }, + "message": { + SchemaProps: spec.SchemaProps{ + Description: "message provides additional information about the current condition. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines.", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"cidr"}, + Required: []string{"type", "status", "lastTransitionTime"}, }, }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, } } -func schema_openshift_api_config_v1_ClusterOperator(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_ClusterVersion(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterOperator holds the status of a core or optional OpenShift component managed by the Cluster Version Operator (CVO). This object is used by operators to convey their state to the rest of the cluster. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "ClusterVersion is the configuration for the ClusterVersionOperator. This is where parameters related to automatic updates can be set.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -10494,362 +10533,125 @@ func schema_openshift_api_config_v1_ClusterOperator(ref common.ReferenceCallback }, "spec": { SchemaProps: spec.SchemaProps{ - Description: "spec holds configuration that could apply to any operator.", + Description: "spec is the desired state of the cluster version - the operator will work to ensure that the desired version is applied to the cluster.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterOperatorSpec"), + Ref: ref("github.com/openshift/api/config/v1.ClusterVersionSpec"), }, }, "status": { SchemaProps: spec.SchemaProps{ - Description: "status holds the information about the state of an operator. It is consistent with status information across the Kubernetes ecosystem.", + Description: "status contains information about the available updates and any in-progress updates.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterOperatorStatus"), + Ref: ref("github.com/openshift/api/config/v1.ClusterVersionStatus"), }, }, }, - Required: []string{"metadata", "spec"}, + Required: []string{"spec"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.ClusterOperatorSpec", "github.com/openshift/api/config/v1.ClusterOperatorStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/config/v1.ClusterVersionSpec", "github.com/openshift/api/config/v1.ClusterVersionStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_config_v1_ClusterOperatorList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_ClusterVersionCapabilitiesSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterOperatorList is a list of OperatorStatus resources.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), - }, - }, - "items": { - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterOperator"), - }, - }, - }, - }, - }, - }, - Required: []string{"metadata", "items"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.ClusterOperator", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, - } -} - -func schema_openshift_api_config_v1_ClusterOperatorSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterOperatorSpec is empty for now, but you could imagine holding information like \"pause\".", - Type: []string{"object"}, - }, - }, - } -} - -func schema_openshift_api_config_v1_ClusterOperatorStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterOperatorStatus provides information about the status of the operator.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "conditions describes the state of the operator's managed and monitored components.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterOperatorStatusCondition"), - }, - }, - }, - }, - }, - "versions": { - SchemaProps: spec.SchemaProps{ - Description: "versions is a slice of operator and operand version tuples. Operators which manage multiple operands will have multiple operand entries in the array. Available operators must report the version of the operator itself with the name \"operator\". An operator reports a new \"operator\" version when it has rolled out the new version to all of its operands.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.OperandVersion"), - }, - }, - }, - }, - }, - "relatedObjects": { - SchemaProps: spec.SchemaProps{ - Description: "relatedObjects is a list of objects that are \"interesting\" or related to this operator. Common uses are: 1. the detailed resource driving the operator 2. operator namespaces 3. operand namespaces", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ObjectReference"), - }, - }, - }, - }, - }, - "extension": { - SchemaProps: spec.SchemaProps{ - Description: "extension contains any additional status information specific to the operator which owns this status object.", - Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.ClusterOperatorStatusCondition", "github.com/openshift/api/config/v1.ObjectReference", "github.com/openshift/api/config/v1.OperandVersion", "k8s.io/apimachinery/pkg/runtime.RawExtension"}, - } -} - -func schema_openshift_api_config_v1_ClusterOperatorStatusCondition(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterOperatorStatusCondition represents the state of the operator's managed and monitored components.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "type": { - SchemaProps: spec.SchemaProps{ - Description: "type specifies the aspect reported by this condition.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "status": { - SchemaProps: spec.SchemaProps{ - Description: "status of the condition, one of True, False, Unknown.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "lastTransitionTime": { - SchemaProps: spec.SchemaProps{ - Description: "lastTransitionTime is the time of the last update to the current status property.", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), - }, - }, - "reason": { - SchemaProps: spec.SchemaProps{ - Description: "reason is the CamelCase reason for the condition's current status.", - Type: []string{"string"}, - Format: "", - }, - }, - "message": { - SchemaProps: spec.SchemaProps{ - Description: "message provides additional information about the current condition. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines.", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"type", "status", "lastTransitionTime"}, - }, - }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, - } -} - -func schema_openshift_api_config_v1_ClusterVersion(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterVersion is the configuration for the ClusterVersionOperator. This is where parameters related to automatic updates can be set.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), - }, - }, - "spec": { - SchemaProps: spec.SchemaProps{ - Description: "spec is the desired state of the cluster version - the operator will work to ensure that the desired version is applied to the cluster.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterVersionSpec"), - }, - }, - "status": { - SchemaProps: spec.SchemaProps{ - Description: "status contains information about the available updates and any in-progress updates.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterVersionStatus"), - }, - }, - }, - Required: []string{"spec"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.ClusterVersionSpec", "github.com/openshift/api/config/v1.ClusterVersionStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, - } -} - -func schema_openshift_api_config_v1_ClusterVersionCapabilitiesSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterVersionCapabilitiesSpec selects the managed set of optional, core cluster components.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "baselineCapabilitySet": { - SchemaProps: spec.SchemaProps{ - Description: "baselineCapabilitySet selects an initial set of optional capabilities to enable, which can be extended via additionalEnabledCapabilities. If unset, the cluster will choose a default, and the default may change over time. The current default is vCurrent.", - Type: []string{"string"}, - Format: "", - }, - }, - "additionalEnabledCapabilities": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "additionalEnabledCapabilities extends the set of managed capabilities beyond the baseline defined in baselineCapabilitySet. The default is an empty set.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, - }, - }, - } -} - -func schema_openshift_api_config_v1_ClusterVersionCapabilitiesStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterVersionCapabilitiesStatus describes the state of optional, core cluster components.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "enabledCapabilities": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "enabledCapabilities lists all the capabilities that are currently managed.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "knownCapabilities": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "knownCapabilities lists all the capabilities known to the current cluster.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, - }, - }, - } -} - -func schema_openshift_api_config_v1_ClusterVersionList(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterVersionList is a list of ClusterVersion resources.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "ClusterVersionCapabilitiesSpec selects the managed set of optional, core cluster components.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "baselineCapabilitySet": { + SchemaProps: spec.SchemaProps{ + Description: "baselineCapabilitySet selects an initial set of optional capabilities to enable, which can be extended via additionalEnabledCapabilities. If unset, the cluster will choose a default, and the default may change over time. The current default is vCurrent.", + Type: []string{"string"}, + Format: "", + }, + }, + "additionalEnabledCapabilities": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "additionalEnabledCapabilities extends the set of managed capabilities beyond the baseline defined in baselineCapabilitySet. The default is an empty set.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, + }, + }, + } +} + +func schema_openshift_api_config_v1_ClusterVersionCapabilitiesStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterVersionCapabilitiesStatus describes the state of optional, core cluster components.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "enabledCapabilities": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "enabledCapabilities lists all the capabilities that are currently managed.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "knownCapabilities": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "knownCapabilities lists all the capabilities known to the current cluster.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, + }, + }, + } +} + +func schema_openshift_api_config_v1_ClusterVersionList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterVersionList is a list of ClusterVersion resources.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -10925,7 +10727,7 @@ func schema_openshift_api_config_v1_ClusterVersionSpec(ref common.ReferenceCallb }, "channel": { SchemaProps: spec.SchemaProps{ - Description: "channel is an identifier for explicitly requesting a non-default set of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters.", + Description: "channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters.", Type: []string{"string"}, Format: "", }, @@ -11111,7 +10913,7 @@ func schema_openshift_api_config_v1_ClusterVersionStatus(ref common.ReferenceCal }, }, }, - Required: []string{"desired", "observedGeneration", "versionHash", "availableUpdates"}, + Required: []string{"desired", "observedGeneration", "versionHash", "capabilities", "availableUpdates"}, }, }, Dependencies: []string{ @@ -11662,6 +11464,7 @@ func schema_openshift_api_config_v1_ConsoleStatus(ref common.ReferenceCallback) }, }, }, + Required: []string{"consoleURL"}, }, }, } @@ -12350,7 +12153,7 @@ func schema_openshift_api_config_v1_ExtraMapping(ref common.ReferenceCallback) c }, "valueExpression": { SchemaProps: spec.SchemaProps{ - Description: "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 1024 characters in length. valueExpression must not be empty.", + Description: "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 4096 characters in length. valueExpression must not be empty.", Default: "", Type: []string{"string"}, Format: "", @@ -12665,6 +12468,7 @@ func schema_openshift_api_config_v1_FeatureGateStatus(ref common.ReferenceCallba }, }, }, + Required: []string{"featureGates"}, }, }, Dependencies: []string{ @@ -12709,43 +12513,6 @@ func schema_openshift_api_config_v1_FeatureGateTests(ref common.ReferenceCallbac } } -func schema_openshift_api_config_v1_FulcioCAWithRekor(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "fulcioCAData": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "rekorKeyData": { - SchemaProps: spec.SchemaProps{ - Description: "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "fulcioSubject": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.PolicyFulcioSubject"), - }, - }, - }, - Required: []string{"fulcioCAData", "rekorKeyData", "fulcioSubject"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.PolicyFulcioSubject"}, - } -} - func schema_openshift_api_config_v1_GCPPlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -12841,7 +12608,7 @@ func schema_openshift_api_config_v1_GCPPlatformStatus(ref common.ReferenceCallba }, }, SchemaProps: spec.SchemaProps{ - Description: "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 11.", + Description: "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 9.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -13434,7 +13201,7 @@ func schema_openshift_api_config_v1_IBMCloudPlatformSpec(ref common.ReferenceCal }, }, SchemaProps: spec.SchemaProps{ - Description: "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", + Description: "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -13506,7 +13273,7 @@ func schema_openshift_api_config_v1_IBMCloudPlatformStatus(ref common.ReferenceC }, }, SchemaProps: spec.SchemaProps{ - Description: "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", + Description: "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -14181,187 +13948,6 @@ func schema_openshift_api_config_v1_ImageList(ref common.ReferenceCallback) comm } } -func schema_openshift_api_config_v1_ImagePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), - }, - }, - "spec": { - SchemaProps: spec.SchemaProps{ - Description: "spec holds user settable values for configuration", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ImagePolicySpec"), - }, - }, - "status": { - SchemaProps: spec.SchemaProps{ - Description: "status contains the observed state of the resource.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ImagePolicyStatus"), - }, - }, - }, - Required: []string{"spec"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.ImagePolicySpec", "github.com/openshift/api/config/v1.ImagePolicyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, - } -} - -func schema_openshift_api_config_v1_ImagePolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), - }, - }, - "items": { - SchemaProps: spec.SchemaProps{ - Description: "items is a list of ImagePolicies", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ImagePolicy"), - }, - }, - }, - }, - }, - }, - Required: []string{"metadata", "items"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.ImagePolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, - } -} - -func schema_openshift_api_config_v1_ImagePolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ImagePolicySpec is the specification of the ImagePolicy CRD.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "scopes": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "set", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "policy": { - SchemaProps: spec.SchemaProps{ - Description: "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.Policy"), - }, - }, - }, - Required: []string{"scopes", "policy"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.Policy"}, - } -} - -func schema_openshift_api_config_v1_ImagePolicyStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "conditions provide details on the status of this API Resource. condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), - }, - }, - }, - }, - }, - }, - }, - }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, - } -} - func schema_openshift_api_config_v1_ImageSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -14872,6 +14458,7 @@ func schema_openshift_api_config_v1_InfrastructureStatus(ref common.ReferenceCal "infrastructureTopology": { SchemaProps: spec.SchemaProps{ Description: "infrastructureTopology expresses the expectations for infrastructure services that do not run on control plane nodes, usually indicated by a node selector for a `role` value other than `master`. The default is 'HighlyAvailable', which represents the behavior operators have in a \"normal\" cluster. The 'SingleReplica' mode will be used in single-node deployments and the operators should not configure the operand for highly-available operation NOTE: External topology mode is not applicable for this field.", + Default: "", Type: []string{"string"}, Format: "", }, @@ -14885,6 +14472,7 @@ func schema_openshift_api_config_v1_InfrastructureStatus(ref common.ReferenceCal }, }, }, + Required: []string{"infrastructureName", "etcdDiscoveryDomain", "apiServerURL", "apiServerInternalURI", "controlPlaneTopology", "infrastructureTopology"}, }, }, Dependencies: []string{ @@ -16873,12 +16461,11 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ "componentName": { SchemaProps: spec.SchemaProps{ - Description: "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + Description: "componentName is the name of the component that is supposed to consume this client configuration", Default: "", Type: []string{"string"}, Format: "", @@ -16886,7 +16473,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, "componentNamespace": { SchemaProps: spec.SchemaProps{ - Description: "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + Description: "componentNamespace is the namespace of the component that is supposed to consume this client configuration", Default: "", Type: []string{"string"}, Format: "", @@ -16894,7 +16481,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, "clientID": { SchemaProps: spec.SchemaProps{ - Description: "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").", + Description: "clientID is the identifier of the OIDC client from the OIDC provider", Default: "", Type: []string{"string"}, Format: "", @@ -16902,7 +16489,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, "clientSecret": { SchemaProps: spec.SchemaProps{ - Description: "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", + Description: "clientSecret refers to a secret in the `openshift-config` namespace that contains the client secret in the `clientSecret` key of the `.data` field", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.SecretNameReference"), }, @@ -16914,7 +16501,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, }, SchemaProps: spec.SchemaProps{ - Description: "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.", + Description: "extraScopes is an optional set of scopes to request tokens with.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -16928,7 +16515,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, }, }, - Required: []string{"componentName", "componentNamespace", "clientID"}, + Required: []string{"componentName", "componentNamespace", "clientID", "clientSecret", "extraScopes"}, }, }, Dependencies: []string{ @@ -16940,12 +16527,11 @@ func schema_openshift_api_config_v1_OIDCClientReference(ref common.ReferenceCall return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OIDCClientReference is a reference to a platform component client configuration.", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ "oidcProviderName": { SchemaProps: spec.SchemaProps{ - Description: "oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.\n\noidcProviderName must not be an empty string (\"\").", + Description: "OIDCName refers to the `name` of the provider from `oidcProviders`", Default: "", Type: []string{"string"}, Format: "", @@ -16953,7 +16539,7 @@ func schema_openshift_api_config_v1_OIDCClientReference(ref common.ReferenceCall }, "issuerURL": { SchemaProps: spec.SchemaProps{ - Description: "issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.\n\nissuerURL must use the 'https' scheme.", + Description: "URL is the serving URL of the token issuer. Must use the https:// scheme.", Default: "", Type: []string{"string"}, Format: "", @@ -16961,7 +16547,7 @@ func schema_openshift_api_config_v1_OIDCClientReference(ref common.ReferenceCall }, "clientID": { SchemaProps: spec.SchemaProps{ - Description: "clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.\n\nclientID must not be empty.", + Description: "clientID is the identifier of the OIDC client from the OIDC provider", Default: "", Type: []string{"string"}, Format: "", @@ -16978,12 +16564,11 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ "componentName": { SchemaProps: spec.SchemaProps{ - Description: "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + Description: "componentName is the name of the component that will consume a client configuration.", Default: "", Type: []string{"string"}, Format: "", @@ -16991,7 +16576,7 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac }, "componentNamespace": { SchemaProps: spec.SchemaProps{ - Description: "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + Description: "componentNamespace is the namespace of the component that will consume a client configuration.", Default: "", Type: []string{"string"}, Format: "", @@ -17008,7 +16593,7 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac }, }, SchemaProps: spec.SchemaProps{ - Description: "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", + Description: "currentOIDCClients is a list of clients that the component is currently using.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -17027,7 +16612,7 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac }, }, SchemaProps: spec.SchemaProps{ - Description: "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.", + Description: "consumingUsers is a slice of ServiceAccounts that need to have read permission on the `clientSecret` secret.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -17063,7 +16648,7 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac }, }, }, - Required: []string{"componentName", "componentNamespace"}, + Required: []string{"componentName", "componentNamespace", "currentOIDCClients", "consumingUsers"}, }, }, Dependencies: []string{ @@ -17079,7 +16664,7 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c Properties: map[string]spec.Schema{ "name": { SchemaProps: spec.SchemaProps{ - Description: "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", + Description: "name of the OIDC provider", Default: "", Type: []string{"string"}, Format: "", @@ -17087,7 +16672,7 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c }, "issuer": { SchemaProps: spec.SchemaProps{ - Description: "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", + Description: "issuer describes atributes of the OIDC token issuer", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.TokenIssuer"), }, @@ -17103,7 +16688,7 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c }, }, SchemaProps: spec.SchemaProps{ - Description: "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", + Description: "oidcClients contains configuration for the platform's clients that need to request tokens from the issuer", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -17117,7 +16702,7 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c }, "claimMappings": { SchemaProps: spec.SchemaProps{ - Description: "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", + Description: "claimMappings describes rules on how to transform information from an ID token into a cluster identity", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.TokenClaimMappings"), }, @@ -17129,7 +16714,7 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c }, }, SchemaProps: spec.SchemaProps{ - Description: "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", + Description: "claimValidationRules are rules that are applied to validate token claims to authenticate users.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -17141,12 +16726,30 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c }, }, }, + "userValidationRules": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.TokenUserValidationRule"), + }, + }, + }, + }, + }, }, - Required: []string{"name", "issuer", "claimMappings"}, + Required: []string{"name", "issuer", "oidcClients", "claimMappings"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.OIDCClientConfig", "github.com/openshift/api/config/v1.TokenClaimMappings", "github.com/openshift/api/config/v1.TokenClaimValidationRule", "github.com/openshift/api/config/v1.TokenIssuer"}, + "github.com/openshift/api/config/v1.OIDCClientConfig", "github.com/openshift/api/config/v1.TokenClaimMappings", "github.com/openshift/api/config/v1.TokenClaimValidationRule", "github.com/openshift/api/config/v1.TokenIssuer", "github.com/openshift/api/config/v1.TokenUserValidationRule"}, } } @@ -17917,70 +17520,6 @@ func schema_openshift_api_config_v1_OvirtPlatformStatus(ref common.ReferenceCall } } -func schema_openshift_api_config_v1_PKI(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "caRootsData": { - SchemaProps: spec.SchemaProps{ - Description: "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "caIntermediatesData": { - SchemaProps: spec.SchemaProps{ - Description: "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "pkiCertificateSubject": { - SchemaProps: spec.SchemaProps{ - Description: "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.PKICertificateSubject"), - }, - }, - }, - Required: []string{"caRootsData", "pkiCertificateSubject"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.PKICertificateSubject"}, - } -} - -func schema_openshift_api_config_v1_PKICertificateSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "email": { - SchemaProps: spec.SchemaProps{ - Description: "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email must be a valid email address and at most 320 characters in length.", - Type: []string{"string"}, - Format: "", - }, - }, - "hostname": { - SchemaProps: spec.SchemaProps{ - Description: "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - } -} - func schema_openshift_api_config_v1_PlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -18197,220 +17736,6 @@ func schema_openshift_api_config_v1_PlatformStatus(ref common.ReferenceCallback) } } -func schema_openshift_api_config_v1_Policy(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "Policy defines the verification policy for the items in the scopes list.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "rootOfTrust": { - SchemaProps: spec.SchemaProps{ - Description: "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.PolicyRootOfTrust"), - }, - }, - "signedIdentity": { - SchemaProps: spec.SchemaProps{ - Description: "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", - Ref: ref("github.com/openshift/api/config/v1.PolicyIdentity"), - }, - }, - }, - Required: []string{"rootOfTrust"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.PolicyIdentity", "github.com/openshift/api/config/v1.PolicyRootOfTrust"}, - } -} - -func schema_openshift_api_config_v1_PolicyFulcioSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "oidcIssuer": { - SchemaProps: spec.SchemaProps{ - Description: "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "signedEmail": { - SchemaProps: spec.SchemaProps{ - Description: "signedEmail is a required field holds the email address that the Fulcio certificate is issued for. The signedEmail must be a valid email address and at most 320 characters in length. Example: \"expected-signing-user@example.com\"", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"oidcIssuer", "signedEmail"}, - }, - }, - } -} - -func schema_openshift_api_config_v1_PolicyIdentity(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "matchPolicy": { - SchemaProps: spec.SchemaProps{ - Description: "matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. Allowed values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". When set to \"MatchRepoDigestOrExact\", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. When set to \"MatchRepository\", the identity in the signature must be in the same repository as the image identity. When set to \"ExactRepository\", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by \"repository\". When set to \"RemapIdentity\", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "exactRepository": { - SchemaProps: spec.SchemaProps{ - Description: "exactRepository specifies the repository that must be exactly matched by the identity in the signature. exactRepository is required if matchPolicy is set to \"ExactRepository\". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.", - Ref: ref("github.com/openshift/api/config/v1.PolicyMatchExactRepository"), - }, - }, - "remapIdentity": { - SchemaProps: spec.SchemaProps{ - Description: "remapIdentity specifies the prefix remapping rule for verifying image identity. remapIdentity is required if matchPolicy is set to \"RemapIdentity\". It is used to verify that the signature claims a different registry/repository prefix than the original image.", - Ref: ref("github.com/openshift/api/config/v1.PolicyMatchRemapIdentity"), - }, - }, - }, - Required: []string{"matchPolicy"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "matchPolicy", - "fields-to-discriminateBy": map[string]interface{}{ - "exactRepository": "PolicyMatchExactRepository", - "remapIdentity": "PolicyMatchRemapIdentity", - }, - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.PolicyMatchExactRepository", "github.com/openshift/api/config/v1.PolicyMatchRemapIdentity"}, - } -} - -func schema_openshift_api_config_v1_PolicyMatchExactRepository(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "repository": { - SchemaProps: spec.SchemaProps{ - Description: "repository is the reference of the image identity to be matched. repository is required if matchPolicy is set to \"ExactRepository\". The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"repository"}, - }, - }, - } -} - -func schema_openshift_api_config_v1_PolicyMatchRemapIdentity(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "prefix": { - SchemaProps: spec.SchemaProps{ - Description: "prefix is required if matchPolicy is set to \"RemapIdentity\". prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "signedPrefix": { - SchemaProps: spec.SchemaProps{ - Description: "signedPrefix is required if matchPolicy is set to \"RemapIdentity\". signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"prefix", "signedPrefix"}, - }, - }, - } -} - -func schema_openshift_api_config_v1_PolicyRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "policyType": { - SchemaProps: spec.SchemaProps{ - Description: "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "publicKey": { - SchemaProps: spec.SchemaProps{ - Description: "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", - Ref: ref("github.com/openshift/api/config/v1.PublicKey"), - }, - }, - "fulcioCAWithRekor": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", - Ref: ref("github.com/openshift/api/config/v1.FulcioCAWithRekor"), - }, - }, - "pki": { - SchemaProps: spec.SchemaProps{ - Description: "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", - Ref: ref("github.com/openshift/api/config/v1.PKI"), - }, - }, - }, - Required: []string{"policyType"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "policyType", - "fields-to-discriminateBy": map[string]interface{}{ - "fulcioCAWithRekor": "FulcioCAWithRekor", - "pki": "PKI", - "publicKey": "PublicKey", - }, - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.FulcioCAWithRekor", "github.com/openshift/api/config/v1.PKI", "github.com/openshift/api/config/v1.PublicKey"}, - } -} - func schema_openshift_api_config_v1_PowerVSPlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -18558,12 +17883,11 @@ func schema_openshift_api_config_v1_PrefixedClaimMapping(ref common.ReferenceCal return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ "claim": { SchemaProps: spec.SchemaProps{ - Description: "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", + Description: "claim is a JWT token claim to be used in the mapping", Default: "", Type: []string{"string"}, Format: "", @@ -18571,14 +17895,14 @@ func schema_openshift_api_config_v1_PrefixedClaimMapping(ref common.ReferenceCal }, "prefix": { SchemaProps: spec.SchemaProps{ - Description: "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + Description: "prefix is a string to prefix the value from the token in the result of the claim mapping.\n\nBy default, no prefixing occurs.\n\nExample: if `prefix` is set to \"myoidc:\"\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"claim"}, + Required: []string{"claim", "prefix"}, }, }, } @@ -18961,34 +18285,6 @@ func schema_openshift_api_config_v1_ProxyStatus(ref common.ReferenceCallback) co } } -func schema_openshift_api_config_v1_PublicKey(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PublicKey defines the root of trust based on a sigstore public key.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "keyData": { - SchemaProps: spec.SchemaProps{ - Description: "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "rekorKeyData": { - SchemaProps: spec.SchemaProps{ - Description: "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - }, - Required: []string{"keyData"}, - }, - }, - } -} - func schema_openshift_api_config_v1_RegistryLocation(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -20078,12 +19374,11 @@ func schema_openshift_api_config_v1_TokenClaimMapping(ref common.ReferenceCallba return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ "claim": { SchemaProps: spec.SchemaProps{ - Description: "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", + Description: "claim is a JWT token claim to be used in the mapping", Default: "", Type: []string{"string"}, Format: "", @@ -20104,14 +19399,14 @@ func schema_openshift_api_config_v1_TokenClaimMappings(ref common.ReferenceCallb Properties: map[string]spec.Schema{ "username": { SchemaProps: spec.SchemaProps{ - Description: "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.", + Description: "username is a name of the claim that should be used to construct usernames for the cluster identity.\n\nDefault value: \"sub\"", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.UsernameClaimMapping"), }, }, "groups": { SchemaProps: spec.SchemaProps{ - Description: "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", + Description: "groups is a name of the claim that should be used to construct groups for the cluster identity. The referenced claim must use array of strings values.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.PrefixedClaimMapping"), }, @@ -20132,7 +19427,7 @@ func schema_openshift_api_config_v1_TokenClaimMappings(ref common.ReferenceCallb }, }, SchemaProps: spec.SchemaProps{ - Description: "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", + Description: "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 64 extra attribute mappings may be provided.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -20145,7 +19440,6 @@ func schema_openshift_api_config_v1_TokenClaimMappings(ref common.ReferenceCallb }, }, }, - Required: []string{"username"}, }, }, Dependencies: []string{ @@ -20169,7 +19463,7 @@ func schema_openshift_api_config_v1_TokenClaimOrExpressionMapping(ref common.Ref }, "expression": { SchemaProps: spec.SchemaProps{ - Description: "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length.", + Description: "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 4096 characters in length.", Type: []string{"string"}, Format: "", }, @@ -20188,25 +19482,30 @@ func schema_openshift_api_config_v1_TokenClaimValidationRule(ref common.Referenc Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.", + Description: "type sets the type of the validation rule", Default: "", Type: []string{"string"}, Format: "", - Enum: []interface{}{}, }, }, "requiredClaim": { SchemaProps: spec.SchemaProps{ - Description: "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.", + Description: "requiredClaim allows configuring a required claim name and its expected value. RequiredClaim is used when type is RequiredClaim.", Ref: ref("github.com/openshift/api/config/v1.TokenRequiredClaim"), }, }, + "expressionRule": { + SchemaProps: spec.SchemaProps{ + Description: "expressionRule contains the configuration for the \"Expression\" type. Must be set if type == \"Expression\".", + Ref: ref("github.com/openshift/api/config/v1.TokenExpressionRule"), + }, + }, }, Required: []string{"type"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.TokenRequiredClaim"}, + "github.com/openshift/api/config/v1.TokenExpressionRule", "github.com/openshift/api/config/v1.TokenRequiredClaim"}, } } @@ -20245,6 +19544,34 @@ func schema_openshift_api_config_v1_TokenConfig(ref common.ReferenceCallback) co } } +func schema_openshift_api_config_v1_TokenExpressionRule(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "expression": { + SchemaProps: spec.SchemaProps{ + Description: "Expression is a CEL expression evaluated against token claims. The expression must be a non-empty string and no longer than 4096 characters. This field is required.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "message": { + SchemaProps: spec.SchemaProps{ + Description: "Message allows configuring the human-readable message that is returned from the Kubernetes API server when a token fails validation based on the CEL expression defined in 'expression'. This field is optional.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"expression"}, + }, + }, + } +} + func schema_openshift_api_config_v1_TokenIssuer(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -20253,7 +19580,7 @@ func schema_openshift_api_config_v1_TokenIssuer(ref common.ReferenceCallback) co Properties: map[string]spec.Schema{ "issuerURL": { SchemaProps: spec.SchemaProps{ - Description: "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nMust be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.", + Description: "URL is the serving URL of the token issuer. Must use the https:// scheme.", Default: "", Type: []string{"string"}, Format: "", @@ -20266,7 +19593,7 @@ func schema_openshift_api_config_v1_TokenIssuer(ref common.ReferenceCallback) co }, }, SchemaProps: spec.SchemaProps{ - Description: "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", + Description: "audiences is an array of audiences that the token was issued for. Valid tokens must include at least one of these values in their \"aud\" claim. Must be set to exactly one value.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -20281,13 +19608,26 @@ func schema_openshift_api_config_v1_TokenIssuer(ref common.ReferenceCallback) co }, "issuerCertificateAuthority": { SchemaProps: spec.SchemaProps{ - Description: "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", + Description: "CertificateAuthority is a reference to a config map in the configuration namespace. The .data of the configMap must contain the \"ca-bundle.crt\" key. If unset, system trust is used instead.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.ConfigMapNameReference"), }, }, + "discoveryURL": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "audienceMatchPolicy": { + SchemaProps: spec.SchemaProps{ + Description: "audienceMatchPolicy specifies how token audiences are matched. If omitted, the system applies a default policy. Valid values are: - \"MatchAny\": The token is accepted if any of its audiences match any of the configured audiences.", + Type: []string{"string"}, + Format: "", + }, + }, }, - Required: []string{"issuerURL", "audiences"}, + Required: []string{"issuerURL", "audiences", "issuerCertificateAuthority"}, }, }, Dependencies: []string{ @@ -20303,7 +19643,7 @@ func schema_openshift_api_config_v1_TokenRequiredClaim(ref common.ReferenceCallb Properties: map[string]spec.Schema{ "claim": { SchemaProps: spec.SchemaProps{ - Description: "claim is a required field that configures the name of the required claim. When taken from the JWT claims, claim must be a string value.\n\nclaim must not be an empty string (\"\").", + Description: "claim is a name of a required claim. Only claims with string values are supported.", Default: "", Type: []string{"string"}, Format: "", @@ -20311,7 +19651,7 @@ func schema_openshift_api_config_v1_TokenRequiredClaim(ref common.ReferenceCallb }, "requiredValue": { SchemaProps: spec.SchemaProps{ - Description: "requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. If the value in the JWT claims does not match, the token will be rejected for authentication.\n\nrequiredValue must not be an empty string (\"\").", + Description: "requiredValue is the required value for the claim.", Default: "", Type: []string{"string"}, Format: "", @@ -20324,6 +19664,34 @@ func schema_openshift_api_config_v1_TokenRequiredClaim(ref common.ReferenceCallb } } +func schema_openshift_api_config_v1_TokenUserValidationRule(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "TokenUserValidationRule provides a CEL-based rule used to validate a token subject. Each rule contains a CEL expression that is evaluated against the token’s claims. If the expression evaluates to false, the token is rejected. See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. At least one rule must evaluate to true for the token to be considered valid.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "expression": { + SchemaProps: spec.SchemaProps{ + Description: "Expression is a CEL expression that must evaluate to true for the token to be accepted. The expression is evaluated against the token's user information (e.g., username, groups). This field must be non-empty and may not exceed 4096 characters.", + Type: []string{"string"}, + Format: "", + }, + }, + "message": { + SchemaProps: spec.SchemaProps{ + Description: "Message is an optional, human-readable message returned by the API server when this validation rule fails. It can help clarify why a token was rejected.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"expression"}, + }, + }, + } +} + func schema_openshift_api_config_v1_Update(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -20422,7 +19790,7 @@ func schema_openshift_api_config_v1_UpdateHistory(ref common.ReferenceCallback) }, "acceptedRisks": { SchemaProps: spec.SchemaProps{ - Description: "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + Description: "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overriden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", Type: []string{"string"}, Format: "", }, @@ -20444,7 +19812,7 @@ func schema_openshift_api_config_v1_UsernameClaimMapping(ref common.ReferenceCal Properties: map[string]spec.Schema{ "claim": { SchemaProps: spec.SchemaProps{ - Description: "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", + Description: "claim is a JWT token claim to be used in the mapping", Default: "", Type: []string{"string"}, Format: "", @@ -20452,34 +19820,19 @@ func schema_openshift_api_config_v1_UsernameClaimMapping(ref common.ReferenceCal }, "prefixPolicy": { SchemaProps: spec.SchemaProps{ - Description: "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", + Description: "prefixPolicy specifies how a prefix should apply.\n\nBy default, claims other than `email` will be prefixed with the issuer URL to prevent naming clashes with other plugins.\n\nSet to \"NoPrefix\" to disable prefixing.\n\nExample:\n (1) `prefix` is set to \"myoidc:\" and `claim` is set to \"username\".\n If the JWT claim `username` contains value `userA`, the resulting\n mapped value will be \"myoidc:userA\".\n (2) `prefix` is set to \"myoidc:\" and `claim` is set to \"email\". If the\n JWT `email` claim contains value \"userA@myoidc.tld\", the resulting\n mapped value will be \"myoidc:userA@myoidc.tld\".\n (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n (a) \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n (b) \"email\": the mapped value will be \"userA@myoidc.tld\"", Default: "", Type: []string{"string"}, Format: "", - Enum: []interface{}{}, }, }, "prefix": { SchemaProps: spec.SchemaProps{ - Description: "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", - Ref: ref("github.com/openshift/api/config/v1.UsernamePrefix"), - }, - }, - }, - Required: []string{"claim"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "prefixPolicy", - "fields-to-discriminateBy": map[string]interface{}{ - "claim": "Claim", - "prefix": "Prefix", - }, + Ref: ref("github.com/openshift/api/config/v1.UsernamePrefix"), }, }, }, + Required: []string{"claim", "prefixPolicy", "prefix"}, }, }, Dependencies: []string{ @@ -20491,15 +19844,13 @@ func schema_openshift_api_config_v1_UsernamePrefix(ref common.ReferenceCallback) return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "UsernamePrefix configures the string that should be used as a prefix for username claim mappings.", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ "prefixString": { SchemaProps: spec.SchemaProps{ - Description: "prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.\n\nprefixString must not be an empty string (\"\").", - Default: "", - Type: []string{"string"}, - Format: "", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, @@ -21188,185 +20539,6 @@ func schema_openshift_api_config_v1_WebhookTokenAuthenticator(ref common.Referen } } -func schema_openshift_api_config_v1alpha1_AlertmanagerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "alertmanagerConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "deploymentMode": { - SchemaProps: spec.SchemaProps{ - Description: "deploymentMode determines whether the default Alertmanager instance should be deployed as part of the monitoring stack. Allowed values are Disabled, DefaultConfig, and CustomConfig. When set to Disabled, the Alertmanager instance will not be deployed. When set to DefaultConfig, the platform will deploy Alertmanager with default settings. When set to CustomConfig, the Alertmanager will be deployed with custom configuration.", - Type: []string{"string"}, - Format: "", - }, - }, - "customConfig": { - SchemaProps: spec.SchemaProps{ - Description: "customConfig must be set when deploymentMode is CustomConfig, and must be unset otherwise. When set to CustomConfig, the Alertmanager will be deployed with custom configuration.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.AlertmanagerCustomConfig"), - }, - }, - }, - Required: []string{"deploymentMode"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.AlertmanagerCustomConfig"}, - } -} - -func schema_openshift_api_config_v1alpha1_AlertmanagerCustomConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "logLevel": { - SchemaProps: spec.SchemaProps{ - Description: "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", - Type: []string{"string"}, - Format: "", - }, - }, - "nodeSelector": { - SchemaProps: spec.SchemaProps{ - Description: "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "resources": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - }, - "x-kubernetes-list-type": "map", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.ContainerResource"), - }, - }, - }, - }, - }, - "secrets": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "set", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret- and mounted at /etc/alertmanager/secrets/ within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "tolerations": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/api/core/v1.Toleration"), - }, - }, - }, - }, - }, - "topologySpreadConstraints": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "topologyKey", - "whenUnsatisfiable", - }, - "x-kubernetes-list-type": "map", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/api/core/v1.TopologySpreadConstraint"), - }, - }, - }, - }, - }, - "volumeClaimTemplate": { - SchemaProps: spec.SchemaProps{ - Description: "volumeClaimTemplate Defines persistent storage for Alertmanager. Use this setting to configure the persistent volume claim, including storage class, volume size, and name. If omitted, the Pod uses ephemeral storage and alert data will not persist across restarts. This field is optional.", - Ref: ref("k8s.io/api/core/v1.PersistentVolumeClaim"), - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.ContainerResource", "k8s.io/api/core/v1.PersistentVolumeClaim", "k8s.io/api/core/v1.Toleration", "k8s.io/api/core/v1.TopologySpreadConstraint"}, - } -} - -func schema_openshift_api_config_v1alpha1_Audit(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "Audit profile configurations", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "profile": { - SchemaProps: spec.SchemaProps{ - Description: "profile is a required field for configuring the audit log level of the Kubernetes Metrics Server. Allowed values are None, Metadata, Request, or RequestResponse. When set to None, audit logging is disabled and no audit events are recorded. When set to Metadata, only request metadata (such as requesting user, timestamp, resource, verb, etc.) is logged, but not the request or response body. When set to Request, event metadata and the request body are logged, but not the response body. When set to RequestResponse, event metadata, request body, and response body are all logged, providing the most detailed audit information.\n\nSee: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy for more information about auditing and log levels.", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"profile"}, - }, - }, - } -} - func schema_openshift_api_config_v1alpha1_Backup(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -21790,30 +20962,17 @@ func schema_openshift_api_config_v1alpha1_ClusterMonitoringSpec(ref common.Refer Properties: map[string]spec.Schema{ "userDefined": { SchemaProps: spec.SchemaProps{ - Description: "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. userDefined is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `Disabled`.", + Description: "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1alpha1.UserDefinedMonitoring"), }, }, - "alertmanagerConfig": { - SchemaProps: spec.SchemaProps{ - Description: "alertmanagerConfig allows users to configure how the default Alertmanager instance should be deployed in the `openshift-monitoring` namespace. alertmanagerConfig is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `DefaultConfig`.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.AlertmanagerConfig"), - }, - }, - "metricsServerConfig": { - SchemaProps: spec.SchemaProps{ - Description: "metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.MetricsServerConfig"), - }, - }, }, + Required: []string{"userDefined"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.AlertmanagerConfig", "github.com/openshift/api/config/v1alpha1.MetricsServerConfig", "github.com/openshift/api/config/v1alpha1.UserDefinedMonitoring"}, + "github.com/openshift/api/config/v1alpha1.UserDefinedMonitoring"}, } } @@ -21821,48 +20980,13 @@ func schema_openshift_api_config_v1alpha1_ClusterMonitoringStatus(ref common.Ref return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterMonitoringStatus defines the observed state of ClusterMonitoring", + Description: "MonitoringOperatorStatus defines the observed state of MonitoringOperator", Type: []string{"object"}, }, }, } } -func schema_openshift_api_config_v1alpha1_ContainerResource(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ContainerResource defines a single resource requirement for a container.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "name": { - SchemaProps: spec.SchemaProps{ - Description: "name of the resource (e.g. \"cpu\", \"memory\", \"hugepages-2Mi\"). This field is required. name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character.", - Type: []string{"string"}, - Format: "", - }, - }, - "request": { - SchemaProps: spec.SchemaProps{ - Description: "request is the minimum amount of the resource required (e.g. \"2Mi\", \"1Gi\"). This field is optional. When limit is specified, request cannot be greater than limit.", - Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), - }, - }, - "limit": { - SchemaProps: spec.SchemaProps{ - Description: "limit is the maximum amount of the resource allowed (e.g. \"2Mi\", \"1Gi\"). This field is optional. When request is specified, limit cannot be less than request. The value must be greater than 0 when specified.", - Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), - }, - }, - }, - Required: []string{"name"}, - }, - }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/api/resource.Quantity"}, - } -} - func schema_openshift_api_config_v1alpha1_EtcdBackupSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -22301,115 +21425,6 @@ func schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref common.Re } } -func schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "MetricsServerConfig provides configuration options for the Metrics Server instance that runs in the `openshift-monitoring` namespace. Use this configuration to control how the Metrics Server instance is deployed, how it logs, and how its pods are scheduled.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "audit": { - SchemaProps: spec.SchemaProps{ - Description: "audit defines the audit configuration used by the Metrics Server instance. audit is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default sets audit.profile to Metadata", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.Audit"), - }, - }, - "nodeSelector": { - SchemaProps: spec.SchemaProps{ - Description: "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "tolerations": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/api/core/v1.Toleration"), - }, - }, - }, - }, - }, - "verbosity": { - SchemaProps: spec.SchemaProps{ - Description: "verbosity defines the verbosity of log messages for Metrics Server. Valid values are Errors, Info, Trace, TraceAll and omitted. When set to Errors, only critical messages and errors are logged. When set to Info, only basic information messages are logged. When set to Trace, information useful for general debugging is logged. When set to TraceAll, detailed information about metric scraping is logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Errors`", - Type: []string{"string"}, - Format: "", - }, - }, - "resources": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - }, - "x-kubernetes-list-type": "map", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.ContainerResource"), - }, - }, - }, - }, - }, - "topologySpreadConstraints": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "topologyKey", - "whenUnsatisfiable", - }, - "x-kubernetes-list-type": "map", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/api/core/v1.TopologySpreadConstraint"), - }, - }, - }, - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.Audit", "github.com/openshift/api/config/v1alpha1.ContainerResource", "k8s.io/api/core/v1.Toleration", "k8s.io/api/core/v1.TopologySpreadConstraint"}, - } -} - func schema_openshift_api_config_v1alpha1_PKI(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -22694,7 +21709,7 @@ func schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref common.Reference Properties: map[string]spec.Schema{ "policyType": { SchemaProps: spec.SchemaProps{ - Description: "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + Description: "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", Default: "", Type: []string{"string"}, Format: "", @@ -22779,7 +21794,6 @@ func schema_openshift_api_config_v1alpha1_RetentionNumberConfig(ref common.Refer "maxNumberOfBackups": { SchemaProps: spec.SchemaProps{ Description: "maxNumberOfBackups defines the maximum number of backups to retain. If the existing number of backups saved is equal to MaxNumberOfBackups then the oldest backup will be removed before a new backup is initiated.", - Default: 0, Type: []string{"integer"}, Format: "int32", }, @@ -22851,7 +21865,6 @@ func schema_openshift_api_config_v1alpha1_RetentionSizeConfig(ref common.Referen "maxSizeOfBackupsGb": { SchemaProps: spec.SchemaProps{ Description: "maxSizeOfBackupsGb defines the total size in GB of backups to retain. If the current total size backups exceeds MaxSizeOfBackupsGb then the oldest backup will be removed before a new backup is initiated.", - Default: 0, Type: []string{"integer"}, Format: "int32", }, @@ -22902,7 +21915,7 @@ func schema_openshift_api_config_v1alpha1_UserDefinedMonitoring(ref common.Refer Properties: map[string]spec.Schema{ "mode": { SchemaProps: spec.SchemaProps{ - Description: "mode defines the different configurations of UserDefinedMonitoring Valid values are Disabled and NamespaceIsolated Disabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. NamespaceIsolated enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level. The current default value is `Disabled`.\n\nPossible enum values:\n - `\"Disabled\"` disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces.\n - `\"NamespaceIsolated\"` enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level.", + Description: "mode defines the different configurations of UserDefinedMonitoring Valid values are Disabled and NamespaceIsolated Disabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. NamespaceIsolated enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level.\n\nPossible enum values:\n - `\"Disabled\"` disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces.\n - `\"NamespaceIsolated\"` enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level.", Default: "", Type: []string{"string"}, Format: "", @@ -24253,6 +23266,7 @@ func schema_openshift_api_console_v1_ConsolePluginService(ref common.ReferenceCa "basePath": { SchemaProps: spec.SchemaProps{ Description: "basePath is the path to the plugin's assets. The primary asset it the manifest file called `plugin-manifest.json`, which is a JSON document that contains metadata about the plugin and the extensions.", + Default: "", Type: []string{"string"}, Format: "", }, @@ -25272,7 +24286,6 @@ func schema_openshift_api_example_v1_CELUnion(ref common.ReferenceCallback) comm "type": { SchemaProps: spec.SchemaProps{ Description: "type determines which of the union members should be populated.", - Default: "", Type: []string{"string"}, Format: "", }, @@ -25320,7 +24333,6 @@ func schema_openshift_api_example_v1_EvolvingUnion(ref common.ReferenceCallback) "type": { SchemaProps: spec.SchemaProps{ Description: "type is the discriminator. It has different values for Default and for TechPreviewNoUpgrade", - Default: "", Type: []string{"string"}, Format: "", }, @@ -27372,6 +26384,7 @@ func schema_openshift_api_image_v1_ImageStreamStatus(ref common.ReferenceCallbac }, }, }, + Required: []string{"dockerImageRepository"}, }, }, Dependencies: []string{ @@ -28754,49 +27767,34 @@ func schema_openshift_api_insights_v1alpha1_Storage(ref common.ReferenceCallback } } -func schema_openshift_api_insights_v1alpha2_Custom(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_AggregatorConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "custom provides the custom configuration of gatherers", + Description: "AggregatorConfig holds information required to make the aggregator function.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "configs": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - }, - "x-kubernetes-list-type": "map", - }, - }, + "proxyClientInfo": { SchemaProps: spec.SchemaProps{ - Description: "configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. It may not exceed 100 items and each gatherer can be present only once. It is possible to disable an entire set of gatherers while allowing a specific function within that set. The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/insights/v1alpha2.GathererConfig"), - }, - }, - }, + Description: "proxyClientInfo specifies the client cert/key to use when proxying to aggregated API servers", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.CertInfo"), }, }, }, - Required: []string{"configs"}, + Required: []string{"proxyClientInfo"}, }, }, Dependencies: []string{ - "github.com/openshift/api/insights/v1alpha2.GathererConfig"}, + "github.com/openshift/api/config/v1.CertInfo"}, } } -func schema_openshift_api_insights_v1alpha2_DataGather(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "DataGather provides data gather configuration options and status for the particular Insights data gathering.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -28813,656 +27811,701 @@ func schema_openshift_api_insights_v1alpha2_DataGather(ref common.ReferenceCallb Format: "", }, }, - "metadata": { + "servingInfo": { SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Description: "servingInfo describes how to start serving", Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + Ref: ref("github.com/openshift/api/config/v1.HTTPServingInfo"), }, }, - "spec": { + "corsAllowedOrigins": { SchemaProps: spec.SchemaProps{ - Description: "spec holds user settable values for configuration", + Description: "corsAllowedOrigins", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "auditConfig": { + SchemaProps: spec.SchemaProps{ + Description: "auditConfig describes how to configure audit information", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/insights/v1alpha2.DataGatherSpec"), + Ref: ref("github.com/openshift/api/config/v1.AuditConfig"), }, }, - "status": { + "storageConfig": { SchemaProps: spec.SchemaProps{ - Description: "status holds observed values from the cluster. They may not be overridden.", + Description: "storageConfig contains information about how to use", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/insights/v1alpha2.DataGatherStatus"), + Ref: ref("github.com/openshift/api/config/v1.EtcdStorageConfig"), }, }, - }, - Required: []string{"spec"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/insights/v1alpha2.DataGatherSpec", "github.com/openshift/api/insights/v1alpha2.DataGatherStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, - } -} - -func schema_openshift_api_insights_v1alpha2_DataGatherList(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "DataGatherList is a collection of items\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { + "admission": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", + Description: "admissionConfig holds information about how to configure admission.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.AdmissionConfig"), }, }, - "apiVersion": { + "kubeClientConfig": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.KubeClientConfig"), }, }, - "metadata": { + "authConfig": { SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Description: "authConfig configures authentication options in addition to the standard oauth token and client certificate authenticators", Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.MasterAuthConfig"), }, }, - "items": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, + "aggregatorConfig": { SchemaProps: spec.SchemaProps{ - Description: "items contains a list of DataGather resources.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/insights/v1alpha2.DataGather"), - }, - }, - }, + Description: "aggregatorConfig has options for configuring the aggregator component of the API server.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.AggregatorConfig"), }, }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/insights/v1alpha2.DataGather", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, - } -} - -func schema_openshift_api_insights_v1alpha2_DataGatherSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "DataGatherSpec contains the configuration for the DataGather.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "dataPolicy": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, + "kubeletClientInfo": { + SchemaProps: spec.SchemaProps{ + Description: "kubeletClientInfo contains information about how to connect to kubelets", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeletConnectionInfo"), }, + }, + "servicesSubnet": { SchemaProps: spec.SchemaProps{ - Description: "dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. It may not exceed 2 items and must not contain duplicates. Valid values are ObfuscateNetworking and WorkloadNames. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. When omitted no obfuscation is applied.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "servicesSubnet is the subnet to use for assigning service IPs", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "gatherers": { + "servicesNodePortRange": { SchemaProps: spec.SchemaProps{ - Description: "gatherers is an optional field that specifies the configuration of the gatherers. If omitted, all gatherers will be run.", - Ref: ref("github.com/openshift/api/insights/v1alpha2.Gatherers"), + Description: "servicesNodePortRange is the range to use for assigning service public ports on a host.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "storage": { + "consolePublicURL": { SchemaProps: spec.SchemaProps{ - Description: "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", - Ref: ref("github.com/openshift/api/insights/v1alpha2.Storage"), + Description: "DEPRECATED: consolePublicURL has been deprecated and setting it has no effect.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/insights/v1alpha2.Gatherers", "github.com/openshift/api/insights/v1alpha2.Storage"}, - } -} - -func schema_openshift_api_insights_v1alpha2_DataGatherStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "DataGatherStatus contains information relating to the DataGather state.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - }, + "userAgentMatchingConfig": { + SchemaProps: spec.SchemaProps{ + Description: "userAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchingConfig"), }, + }, + "imagePolicyConfig": { SchemaProps: spec.SchemaProps{ - Description: "conditions is an optional field that provides details on the status of the gatherer job. It may not exceed 100 items and must not contain duplicates.\n\nThe current condition types are DataUploaded, DataRecorded, DataProcessed, RemoteConfigurationNotAvailable, RemoteConfigurationInvalid\n\nThe DataUploaded condition is used to represent whether or not the archive was successfully uploaded for further processing. When it has a status of True and a reason of Succeeded, the archive was successfully uploaded. When it has a status of Unknown and a reason of NoUploadYet, the upload has not occurred, or there was no data to upload. When it has a status of False and a reason Failed, the upload failed. The accompanying message will include the specific error encountered.\n\nThe DataRecorded condition is used to represent whether or not the archive was successfully recorded. When it has a status of True and a reason of Succeeded, the archive was recorded successfully. When it has a status of Unknown and a reason of NoDataGatheringYet, the data gathering process has not started yet. When it has a status of False and a reason of RecordingFailed, the recording failed and a message will include the specific error encountered.\n\nThe DataProcessed condition is used to represent whether or not the archive was processed by the processing service. When it has a status of True and a reason of Processed, the data was processed successfully. When it has a status of Unknown and a reason of NothingToProcessYet, there is no data to process at the moment. When it has a status of False and a reason of Failure, processing failed and a message will include the specific error encountered.\n\nThe RemoteConfigurationAvailable condition is used to represent whether the remote configuration is available. When it has a status of Unknown and a reason of Unknown or RemoteConfigNotRequestedYet, the state of the remote configuration is unknown—typically at startup. When it has a status of True and a reason of Succeeded, the configuration is available. When it has a status of False and a reason of NoToken, the configuration was disabled by removing the cloud.openshift.com field from the pull secret. When it has a status of False and a reason of DisabledByConfiguration, the configuration was disabled in insightsdatagather.config.openshift.io.\n\nThe RemoteConfigurationValid condition is used to represent whether the remote configuration is valid. When it has a status of Unknown and a reason of Unknown or NoValidationYet, the validity of the remote configuration is unknown—typically at startup. When it has a status of True and a reason of Succeeded, the configuration is valid. When it has a status of False and a reason of Invalid, the configuration is invalid.\n\nThe Progressing condition is used to represent the phase of gathering When it has a status of False and the reason is DataGatherPending, the gathering has not started yet. When it has a status of True and reason is Gathering, the gathering is running. When it has a status of False and reason is GatheringSucceeded, the gathering succesfully finished. When it has a status of False and reason is GatheringFailed, the gathering failed.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), - }, - }, - }, + Description: "imagePolicyConfig feeds the image policy admission plugin", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerImagePolicyConfig"), }, }, - "gatherers": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - }, - "x-kubernetes-list-type": "map", - }, + "projectConfig": { + SchemaProps: spec.SchemaProps{ + Description: "projectConfig feeds an admission plugin", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerProjectConfig"), }, + }, + "serviceAccountPublicKeyFiles": { SchemaProps: spec.SchemaProps{ - Description: "gatherers is a list of active gatherers (and their statuses) in the last gathering.", + Description: "serviceAccountPublicKeyFiles is a list of files, each containing a PEM-encoded public RSA key. (If any file contains a private key, the public portion of the key is used) The list of public keys is used to verify presented service account tokens. Each key is tried in order until the list is exhausted or verification succeeds. If no keys are specified, no service account authentication will be available.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/insights/v1alpha2.GathererStatus"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "startTime": { - SchemaProps: spec.SchemaProps{ - Description: "startTime is the time when Insights data gathering started.", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), - }, - }, - "finishTime": { + "oauthConfig": { SchemaProps: spec.SchemaProps{ - Description: "finishTime is the time when Insights data gathering finished.", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + Description: "oauthConfig, if present start the /oauth endpoint in this process", + Ref: ref("github.com/openshift/api/osin/v1.OAuthConfig"), }, }, - "relatedObjects": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - "namespace", - }, - "x-kubernetes-list-type": "map", - }, - }, + "apiServerArguments": { SchemaProps: spec.SchemaProps{ - Description: "relatedObjects is an optional list of resources which are useful when debugging or inspecting the data gathering Pod It may not exceed 100 items and must not contain duplicates.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/insights/v1alpha2.ObjectReference"), + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, }, }, - "insightsRequestID": { + "minimumKubeletVersion": { SchemaProps: spec.SchemaProps{ - Description: "insightsRequestID is an optional Insights request ID to track the status of the Insights analysis (in console.redhat.com processing pipeline) for the corresponding Insights data archive. It may not exceed 256 characters and is immutable once set.", + Description: "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "insightsReport": { - SchemaProps: spec.SchemaProps{ - Description: "insightsReport provides general Insights analysis results. When omitted, this means no data gathering has taken place yet or the corresponding Insights analysis (identified by \"insightsRequestID\") is not available.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/insights/v1alpha2.InsightsReport"), - }, - }, }, + Required: []string{"servingInfo", "corsAllowedOrigins", "auditConfig", "storageConfig", "admission", "kubeClientConfig", "authConfig", "aggregatorConfig", "kubeletClientInfo", "servicesSubnet", "servicesNodePortRange", "consolePublicURL", "userAgentMatchingConfig", "imagePolicyConfig", "projectConfig", "serviceAccountPublicKeyFiles", "oauthConfig", "apiServerArguments"}, }, }, Dependencies: []string{ - "github.com/openshift/api/insights/v1alpha2.GathererStatus", "github.com/openshift/api/insights/v1alpha2.InsightsReport", "github.com/openshift/api/insights/v1alpha2.ObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, + "github.com/openshift/api/config/v1.AdmissionConfig", "github.com/openshift/api/config/v1.AuditConfig", "github.com/openshift/api/config/v1.EtcdStorageConfig", "github.com/openshift/api/config/v1.HTTPServingInfo", "github.com/openshift/api/config/v1.KubeClientConfig", "github.com/openshift/api/kubecontrolplane/v1.AggregatorConfig", "github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerImagePolicyConfig", "github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerProjectConfig", "github.com/openshift/api/kubecontrolplane/v1.KubeletConnectionInfo", "github.com/openshift/api/kubecontrolplane/v1.MasterAuthConfig", "github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchingConfig", "github.com/openshift/api/osin/v1.OAuthConfig"}, } } -func schema_openshift_api_insights_v1alpha2_GathererConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerImagePolicyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "gathererConfig allows to configure specific gatherers", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "internalRegistryHostname": { SchemaProps: spec.SchemaProps{ - Description: "name is the required name of a specific gatherer It may not exceed 256 characters. The format for a gatherer name is: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", + Description: "internalRegistryHostname sets the hostname for the default internal image registry. The value must be in \"hostname[:port]\" format.", Default: "", Type: []string{"string"}, Format: "", }, }, - "state": { + "externalRegistryHostnames": { SchemaProps: spec.SchemaProps{ - Description: "state is a required field that allows you to configure specific gatherer. Valid values are \"Enabled\" and \"Disabled\". When set to Enabled the gatherer will run. When set to Disabled the gatherer will not run.", + Description: "externalRegistryHostnames provides the hostnames for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The first value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in \"hostname[:port]\" format.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, + Required: []string{"internalRegistryHostname", "externalRegistryHostnames"}, + }, + }, + } +} + +func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerProjectConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "defaultNodeSelector": { + SchemaProps: spec.SchemaProps{ + Description: "defaultNodeSelector holds default project node label selector", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"name", "state"}, + Required: []string{"defaultNodeSelector"}, }, }, } } -func schema_openshift_api_insights_v1alpha2_GathererStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_KubeControllerManagerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "gathererStatus represents information about a particular data gatherer.", + Description: "Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - }, - }, + "kind": { SchemaProps: spec.SchemaProps{ - Description: "conditions provide details on the status of each gatherer.\n\nThe current condition type is DataGathered\n\nThe DataGathered condition is used to represent whether or not the data was gathered by a gatherer specified by name. When it has a status of True and a reason of GatheredOK, the data has been successfully gathered as expected. When it has a status of False and a reason of NoData, no data was gathered—for example, when the resource is not present in the cluster. When it has a status of False and a reason of GatherError, an error occurred and no data was gathered. When it has a status of False and a reason of GatherPanic, a panic occurred during gathering and no data was collected. When it has a status of False and a reason of GatherWithErrorReason, data was partially gathered or gathered with an error message.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), - }, - }, - }, + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", }, }, - "name": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "name is the required name of the gatherer. It must contain at least 5 characters and may not exceed 256 characters.", - Default: "", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - "lastGatherSeconds": { + "serviceServingCert": { SchemaProps: spec.SchemaProps{ - Description: "lastGatherSeconds is required field that represents the time spent gathering in seconds", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "serviceServingCert provides support for the old alpha service serving cert signer CA bundle", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.ServiceServingCert"), + }, + }, + "projectConfig": { + SchemaProps: spec.SchemaProps{ + Description: "projectConfig is an optimization for the daemonset controller", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeControllerManagerProjectConfig"), + }, + }, + "extendedArguments": { + SchemaProps: spec.SchemaProps{ + Description: "extendedArguments is used to configure the kube-controller-manager", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, }, }, }, - Required: []string{"name", "lastGatherSeconds"}, + Required: []string{"serviceServingCert", "projectConfig", "extendedArguments"}, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + "github.com/openshift/api/kubecontrolplane/v1.KubeControllerManagerProjectConfig", "github.com/openshift/api/kubecontrolplane/v1.ServiceServingCert"}, } } -func schema_openshift_api_insights_v1alpha2_Gatherers(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_KubeControllerManagerProjectConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Gathereres specifies the configuration of the gatherers", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "mode": { + "defaultNodeSelector": { SchemaProps: spec.SchemaProps{ - Description: "mode is a required field that specifies the mode for gatherers. Allowed values are All and Custom. When set to All, all gatherers wil run and gather data. When set to Custom, the custom configuration from the custom field will be applied.", + Description: "defaultNodeSelector holds default project node label selector", Default: "", Type: []string{"string"}, Format: "", }, }, - "custom": { - SchemaProps: spec.SchemaProps{ - Description: "custom provides gathering configuration. It is required when mode is Custom, and forbidden otherwise. Custom configuration allows user to disable only a subset of gatherers. Gatherers that are not explicitly disabled in custom configuration will run.", - Ref: ref("github.com/openshift/api/insights/v1alpha2.Custom"), - }, - }, - }, - Required: []string{"mode"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "mode", - "fields-to-discriminateBy": map[string]interface{}{ - "custom": "Custom", - }, - }, - }, }, + Required: []string{"defaultNodeSelector"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/insights/v1alpha2.Custom"}, } } -func schema_openshift_api_insights_v1alpha2_HealthCheck(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_KubeletConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "healthCheck represents an Insights health check attributes.", + Description: "KubeletConnectionInfo holds information necessary for connecting to a kubelet", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "description": { + "port": { + SchemaProps: spec.SchemaProps{ + Description: "port is the port to connect to kubelets on", + Default: 0, + Type: []string{"integer"}, + Format: "int64", + }, + }, + "ca": { SchemaProps: spec.SchemaProps{ - Description: "description is required field that provides basic description of the healtcheck. It must contain at least 10 characters and may not exceed 2048 characters.", + Description: "ca is the CA for verifying TLS connections to kubelets", Default: "", Type: []string{"string"}, Format: "", }, }, - "totalRisk": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "totalRisk is the required field of the healthcheck. It is indicator of the total risk posed by the detected issue; combination of impact and likelihood. Allowed values are Low, Medium, Important and Critical. The value represents the severity of the issue.", + Description: "certFile is a file containing a PEM-encoded certificate", Default: "", Type: []string{"string"}, Format: "", }, }, - "advisorURI": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "advisorURI is required field that provides the URL link to the Insights Advisor. The link must be a valid HTTPS URL and the maximum length is 2048 characters.", + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"description", "totalRisk", "advisorURI"}, + Required: []string{"port", "ca", "certFile", "keyFile"}, }, }, } } -func schema_openshift_api_insights_v1alpha2_InsightsReport(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_MasterAuthConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "insightsReport provides Insights health check report based on the most recently sent Insights data.", + Description: "MasterAuthConfig configures authentication options in addition to the standard oauth token and client certificate authenticators", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "downloadedTime": { + "requestHeader": { SchemaProps: spec.SchemaProps{ - Description: "downloadedTime is an optional time when the last Insights report was downloaded. An empty value means that there has not been any Insights report downloaded yet and it usually appears in disconnected clusters (or clusters when the Insights data gathering is disabled).", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + Description: "requestHeader holds options for setting up a front proxy against the API. It is optional.", + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.RequestHeaderAuthenticationOptions"), }, }, - "healthChecks": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "advisorURI", - "totalRisk", - "description", - }, - "x-kubernetes-list-type": "map", - }, - }, + "webhookTokenAuthenticators": { SchemaProps: spec.SchemaProps{ - Description: "healthChecks provides basic information about active Insights health checks in a cluster.", + Description: "webhookTokenAuthenticators, if present configures remote token reviewers", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/insights/v1alpha2.HealthCheck"), + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.WebhookTokenAuthenticator"), }, }, }, }, }, - "uri": { + "oauthMetadataFile": { SchemaProps: spec.SchemaProps{ - Description: "uri is optional field that provides the URL link from which the report was downloaded. The link must be a valid HTTPS URL and the maximum length is 2048 characters.", + Description: "oauthMetadataFile is a path to a file containing the discovery endpoint for OAuth 2.0 Authorization Server Metadata for an external OAuth server. See IETF Draft: // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 This option is mutually exclusive with OAuthConfig", + Default: "", Type: []string{"string"}, Format: "", }, }, }, + Required: []string{"requestHeader", "webhookTokenAuthenticators", "oauthMetadataFile"}, }, }, Dependencies: []string{ - "github.com/openshift/api/insights/v1alpha2.HealthCheck", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, + "github.com/openshift/api/kubecontrolplane/v1.RequestHeaderAuthenticationOptions", "github.com/openshift/api/kubecontrolplane/v1.WebhookTokenAuthenticator"}, } } -func schema_openshift_api_insights_v1alpha2_ObjectReference(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_RequestHeaderAuthenticationOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ObjectReference contains enough information to let you inspect or modify the referred object.", + Description: "RequestHeaderAuthenticationOptions provides options for setting up a front proxy against the entire API instead of against the /oauth endpoint.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "group": { + "clientCA": { SchemaProps: spec.SchemaProps{ - Description: "group is required field that specifies the API Group of the Resource. Enter empty string for the core group. This value is empty or it should follow the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start with an alphabetic character and end with an alphanumeric character. Example: \"\", \"apps\", \"build.openshift.io\", etc.", + Description: "clientCA is a file with the trusted signer certs. It is required.", Default: "", Type: []string{"string"}, Format: "", }, }, - "resource": { + "clientCommonNames": { SchemaProps: spec.SchemaProps{ - Description: "resource is required field of the type that is being referenced and follows the DNS1035 format. It is normally the plural form of the resource kind in lowercase. It must be at most 63 characters in length, and must must consist of only lowercase alphanumeric characters and hyphens, and must start with an alphabetic character and end with an alphanumeric character. Example: \"deployments\", \"deploymentconfigs\", \"pods\", etc.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "clientCommonNames is a required list of common names to require a match from.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "name": { + "usernameHeaders": { SchemaProps: spec.SchemaProps{ - Description: "name is required field that specifies the referent that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start with an alphabetic character and end with an alphanumeric character..", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "usernameHeaders is the list of headers to check for user information. First hit wins.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "namespace": { + "groupHeaders": { SchemaProps: spec.SchemaProps{ - Description: "namespace if required field of the referent that follows the DNS1123 labels format. It must be at most 63 characters in length, and must must consist of only lowercase alphanumeric characters and hyphens, and must start with an alphabetic character and end with an alphanumeric character.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "groupHeaders is the set of headers to check for group information. All are unioned.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "extraHeaderPrefixes": { + SchemaProps: spec.SchemaProps{ + Description: "extraHeaderPrefixes is the set of request header prefixes to inspect for user extra. X-Remote-Extra- is suggested.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, - Required: []string{"group", "resource", "name", "namespace"}, + Required: []string{"clientCA", "clientCommonNames", "usernameHeaders", "groupHeaders", "extraHeaderPrefixes"}, }, }, } } -func schema_openshift_api_insights_v1alpha2_PersistentVolumeClaimReference(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_ServiceServingCert(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "persistentVolumeClaimReference is a reference to a PersistentVolumeClaim.", + Description: "ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for pods fulfilling a service to serve with.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "name is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.", + Description: "certFile is a file containing a PEM-encoded certificate", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"name"}, + Required: []string{"certFile"}, }, }, } } -func schema_openshift_api_insights_v1alpha2_PersistentVolumeConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_UserAgentDenyRule(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "persistentVolumeConfig provides configuration options for PersistentVolume storage.", + Description: "UserAgentDenyRule adds a rejection message that can be used to help a user figure out how to get an approved client", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "claim": { + "regex": { SchemaProps: spec.SchemaProps{ - Description: "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/insights/v1alpha2.PersistentVolumeClaimReference"), + Description: "regex is a regex that is checked against the User-Agent. Known variants of oc clients 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "mountPath": { + "httpVerbs": { SchemaProps: spec.SchemaProps{ - Description: "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", + Description: "httpVerbs specifies which HTTP verbs should be matched. An empty list means \"match all verbs\".", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "rejectionMessage": { + SchemaProps: spec.SchemaProps{ + Description: "rejectionMessage is the message shown when rejecting a client. If it is not a set, the default message is used.", + Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"claim"}, + Required: []string{"regex", "httpVerbs", "rejectionMessage"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/insights/v1alpha2.PersistentVolumeClaimReference"}, } } -func schema_openshift_api_insights_v1alpha2_Storage(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_UserAgentMatchRule(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "storage provides persistent storage configuration options for gathering jobs. If the type is set to PersistentVolume, then the PersistentVolume must be defined. If the type is set to Ephemeral, then the PersistentVolume must not be defined.", + Description: "UserAgentMatchRule describes how to match a given request based on User-Agent and HTTPVerb", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "type": { + "regex": { SchemaProps: spec.SchemaProps{ - Description: "type is a required field that specifies the type of storage that will be used to store the Insights data archive. Valid values are \"PersistentVolume\" and \"Ephemeral\". When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the PersistentVolume field.", + Description: "regex is a regex that is checked against the User-Agent. Known variants of oc clients 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f", Default: "", Type: []string{"string"}, Format: "", }, }, - "persistentVolume": { + "httpVerbs": { SchemaProps: spec.SchemaProps{ - Description: "persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. The PersistentVolume must be created in the openshift-insights namespace.", - Ref: ref("github.com/openshift/api/insights/v1alpha2.PersistentVolumeConfig"), - }, - }, - }, - Required: []string{"type"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "type", - "fields-to-discriminateBy": map[string]interface{}{ - "persistentVolume": "PersistentVolume", + Description: "httpVerbs specifies which HTTP verbs should be matched. An empty list means \"match all verbs\".", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, }, }, }, }, + Required: []string{"regex", "httpVerbs"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/insights/v1alpha2.PersistentVolumeConfig"}, } } -func schema_openshift_api_kubecontrolplane_v1_AggregatorConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_UserAgentMatchingConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AggregatorConfig holds information required to make the aggregator function.", + Description: "UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "proxyClientInfo": { + "requiredClients": { SchemaProps: spec.SchemaProps{ - Description: "proxyClientInfo specifies the client cert/key to use when proxying to aggregated API servers", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.CertInfo"), + Description: "requiredClients if this list is non-empty, then a User-Agent must match one of the UserAgentRegexes to be allowed", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchRule"), + }, + }, + }, + }, + }, + "deniedClients": { + SchemaProps: spec.SchemaProps{ + Description: "deniedClients if this list is non-empty, then a User-Agent must not match any of the UserAgentRegexes", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.UserAgentDenyRule"), + }, + }, + }, + }, + }, + "defaultRejectionMessage": { + SchemaProps: spec.SchemaProps{ + Description: "defaultRejectionMessage is the message shown when rejecting a client. If it is not a set, a generic message is given.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"proxyClientInfo"}, + Required: []string{"requiredClients", "deniedClients", "defaultRejectionMessage"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.CertInfo"}, + "github.com/openshift/api/kubecontrolplane/v1.UserAgentDenyRule", "github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchRule"}, } } -func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_WebhookTokenAuthenticator(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "WebhookTokenAuthenticators holds the necessary configuation options for external token authenticators", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "configFile": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "configFile is a path to a Kubeconfig file with the webhook configuration", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "cacheTTL": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "cacheTTL indicates how long an authentication result should be cached. It takes a valid time duration string (e.g. \"5m\"). If empty, you get a default timeout of 2 minutes. If zero (e.g. \"0m\"), caching is disabled", + Default: "", Type: []string{"string"}, Format: "", }, }, - "servingInfo": { + }, + Required: []string{"configFile", "cacheTTL"}, + }, + }, + } +} + +func schema_openshift_api_legacyconfig_v1_ActiveDirectoryConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the Active Directory schema", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "usersQuery": { SchemaProps: spec.SchemaProps{ - Description: "servingInfo describes how to start serving", + Description: "AllUsersQuery holds the template for an LDAP query that returns user entries.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.HTTPServingInfo"), + Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), }, }, - "corsAllowedOrigins": { + "userNameAttributes": { SchemaProps: spec.SchemaProps{ - Description: "corsAllowedOrigins", + Description: "userNameAttributes defines which attributes on an LDAP user entry will be interpreted as its OpenShift user name.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -29475,102 +28518,9 @@ func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerConfig(ref common.Ref }, }, }, - "auditConfig": { - SchemaProps: spec.SchemaProps{ - Description: "auditConfig describes how to configure audit information", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.AuditConfig"), - }, - }, - "storageConfig": { - SchemaProps: spec.SchemaProps{ - Description: "storageConfig contains information about how to use", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.EtcdStorageConfig"), - }, - }, - "admission": { - SchemaProps: spec.SchemaProps{ - Description: "admissionConfig holds information about how to configure admission.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.AdmissionConfig"), - }, - }, - "kubeClientConfig": { - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.KubeClientConfig"), - }, - }, - "authConfig": { - SchemaProps: spec.SchemaProps{ - Description: "authConfig configures authentication options in addition to the standard oauth token and client certificate authenticators", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.MasterAuthConfig"), - }, - }, - "aggregatorConfig": { - SchemaProps: spec.SchemaProps{ - Description: "aggregatorConfig has options for configuring the aggregator component of the API server.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.AggregatorConfig"), - }, - }, - "kubeletClientInfo": { - SchemaProps: spec.SchemaProps{ - Description: "kubeletClientInfo contains information about how to connect to kubelets", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeletConnectionInfo"), - }, - }, - "servicesSubnet": { - SchemaProps: spec.SchemaProps{ - Description: "servicesSubnet is the subnet to use for assigning service IPs", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "servicesNodePortRange": { - SchemaProps: spec.SchemaProps{ - Description: "servicesNodePortRange is the range to use for assigning service public ports on a host.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "consolePublicURL": { - SchemaProps: spec.SchemaProps{ - Description: "DEPRECATED: consolePublicURL has been deprecated and setting it has no effect.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "userAgentMatchingConfig": { - SchemaProps: spec.SchemaProps{ - Description: "userAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchingConfig"), - }, - }, - "imagePolicyConfig": { - SchemaProps: spec.SchemaProps{ - Description: "imagePolicyConfig feeds the image policy admission plugin", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerImagePolicyConfig"), - }, - }, - "projectConfig": { - SchemaProps: spec.SchemaProps{ - Description: "projectConfig feeds an admission plugin", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerProjectConfig"), - }, - }, - "serviceAccountPublicKeyFiles": { + "groupMembershipAttributes": { SchemaProps: spec.SchemaProps{ - Description: "serviceAccountPublicKeyFiles is a list of files, each containing a PEM-encoded public RSA key. (If any file contains a private key, the public portion of the key is used) The list of public keys is used to verify presented service account tokens. Each key is tried in order until the list is exhausted or verification succeeds. If no keys are specified, no service account authentication will be available.", + Description: "groupMembershipAttributes defines which attributes on an LDAP user entry will be interpreted as the groups it is a member of", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -29583,113 +28533,118 @@ func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerConfig(ref common.Ref }, }, }, - "oauthConfig": { - SchemaProps: spec.SchemaProps{ - Description: "oauthConfig, if present start the /oauth endpoint in this process", - Ref: ref("github.com/openshift/api/osin/v1.OAuthConfig"), - }, - }, - "apiServerArguments": { + }, + Required: []string{"usersQuery", "userNameAttributes", "groupMembershipAttributes"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.LDAPQuery"}, + } +} + +func schema_openshift_api_legacyconfig_v1_AdmissionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "AdmissionConfig holds the necessary configuration options for admission", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "pluginConfig": { SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "pluginConfig allows specifying a configuration file per admission control plugin", + Type: []string{"object"}, AdditionalProperties: &spec.SchemaOrBool{ Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Ref: ref("github.com/openshift/api/legacyconfig/v1.AdmissionPluginConfig"), }, }, }, }, }, - "minimumKubeletVersion": { + "pluginOrderOverride": { SchemaProps: spec.SchemaProps{ - Description: "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "pluginOrderOverride is a list of admission control plugin names that will be installed on the master. Order is significant. If empty, a default list of plugins is used.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, - Required: []string{"servingInfo", "corsAllowedOrigins", "auditConfig", "storageConfig", "admission", "kubeClientConfig", "authConfig", "aggregatorConfig", "kubeletClientInfo", "servicesSubnet", "servicesNodePortRange", "consolePublicURL", "userAgentMatchingConfig", "imagePolicyConfig", "projectConfig", "serviceAccountPublicKeyFiles", "oauthConfig", "apiServerArguments"}, + Required: []string{"pluginConfig"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.AdmissionConfig", "github.com/openshift/api/config/v1.AuditConfig", "github.com/openshift/api/config/v1.EtcdStorageConfig", "github.com/openshift/api/config/v1.HTTPServingInfo", "github.com/openshift/api/config/v1.KubeClientConfig", "github.com/openshift/api/kubecontrolplane/v1.AggregatorConfig", "github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerImagePolicyConfig", "github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerProjectConfig", "github.com/openshift/api/kubecontrolplane/v1.KubeletConnectionInfo", "github.com/openshift/api/kubecontrolplane/v1.MasterAuthConfig", "github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchingConfig", "github.com/openshift/api/osin/v1.OAuthConfig"}, + "github.com/openshift/api/legacyconfig/v1.AdmissionPluginConfig"}, } } -func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerImagePolicyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_AdmissionPluginConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "AdmissionPluginConfig holds the necessary configuration options for admission plugins", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "internalRegistryHostname": { + "location": { SchemaProps: spec.SchemaProps{ - Description: "internalRegistryHostname sets the hostname for the default internal image registry. The value must be in \"hostname[:port]\" format.", + Description: "location is the path to a configuration file that contains the plugin's configuration", Default: "", Type: []string{"string"}, Format: "", }, }, - "externalRegistryHostnames": { + "configuration": { SchemaProps: spec.SchemaProps{ - Description: "externalRegistryHostnames provides the hostnames for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The first value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in \"hostname[:port]\" format.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "configuration is an embedded configuration object to be used as the plugin's configuration. If present, it will be used instead of the path to the configuration file.", + Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), }, }, }, - Required: []string{"internalRegistryHostname", "externalRegistryHostnames"}, + Required: []string{"location", "configuration"}, }, }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } -func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerProjectConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_AggregatorConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "AggregatorConfig holds information required to make the aggregator function.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "defaultNodeSelector": { + "proxyClientInfo": { SchemaProps: spec.SchemaProps{ - Description: "defaultNodeSelector holds default project node label selector", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "proxyClientInfo specifies the client cert/key to use when proxying to aggregated API servers", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.CertInfo"), }, }, }, - Required: []string{"defaultNodeSelector"}, + Required: []string{"proxyClientInfo"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.CertInfo"}, } } -func schema_openshift_api_kubecontrolplane_v1_KubeControllerManagerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_AllowAllPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "AllowAllPasswordIdentityProvider provides identities for users authenticating using non-empty passwords\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -29706,181 +28661,123 @@ func schema_openshift_api_kubecontrolplane_v1_KubeControllerManagerConfig(ref co Format: "", }, }, - "serviceServingCert": { - SchemaProps: spec.SchemaProps{ - Description: "serviceServingCert provides support for the old alpha service serving cert signer CA bundle", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.ServiceServingCert"), - }, - }, - "projectConfig": { - SchemaProps: spec.SchemaProps{ - Description: "projectConfig is an optimization for the daemonset controller", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeControllerManagerProjectConfig"), - }, - }, - "extendedArguments": { - SchemaProps: spec.SchemaProps{ - Description: "extendedArguments is used to configure the kube-controller-manager", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, - }, - }, }, - Required: []string{"serviceServingCert", "projectConfig", "extendedArguments"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/kubecontrolplane/v1.KubeControllerManagerProjectConfig", "github.com/openshift/api/kubecontrolplane/v1.ServiceServingCert"}, } } -func schema_openshift_api_kubecontrolplane_v1_KubeControllerManagerProjectConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_AuditConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "AuditConfig holds configuration for the audit capabilities", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "defaultNodeSelector": { + "enabled": { SchemaProps: spec.SchemaProps{ - Description: "defaultNodeSelector holds default project node label selector", + Description: "If this flag is set, audit log will be printed in the logs. The logs contains, method, user and a requested URL.", + Default: false, + Type: []string{"boolean"}, + Format: "", + }, + }, + "auditFilePath": { + SchemaProps: spec.SchemaProps{ + Description: "All requests coming to the apiserver will be logged to this file.", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"defaultNodeSelector"}, - }, - }, - } -} - -func schema_openshift_api_kubecontrolplane_v1_KubeletConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "KubeletConnectionInfo holds information necessary for connecting to a kubelet", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "port": { + "maximumFileRetentionDays": { SchemaProps: spec.SchemaProps{ - Description: "port is the port to connect to kubelets on", + Description: "Maximum number of days to retain old log files based on the timestamp encoded in their filename.", Default: 0, Type: []string{"integer"}, - Format: "int64", + Format: "int32", }, }, - "ca": { + "maximumRetainedFiles": { SchemaProps: spec.SchemaProps{ - Description: "ca is the CA for verifying TLS connections to kubelets", + Description: "Maximum number of old log files to retain.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "maximumFileSizeMegabytes": { + SchemaProps: spec.SchemaProps{ + Description: "Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "policyFile": { + SchemaProps: spec.SchemaProps{ + Description: "policyFile is a path to the file that defines the audit policy configuration.", Default: "", Type: []string{"string"}, Format: "", }, }, - "certFile": { + "policyConfiguration": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", + Description: "policyConfiguration is an embedded policy configuration object to be used as the audit policy configuration. If present, it will be used instead of the path to the policy file.", + Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + }, + }, + "logFormat": { + SchemaProps: spec.SchemaProps{ + Description: "Format of saved audits (legacy or json).", Default: "", Type: []string{"string"}, Format: "", }, }, - "keyFile": { + "webHookKubeConfig": { SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Description: "Path to a .kubeconfig formatted file that defines the audit webhook configuration.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "webHookMode": { + SchemaProps: spec.SchemaProps{ + Description: "Strategy for sending audit events (block or batch).", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"port", "ca", "certFile", "keyFile"}, - }, - }, - } -} - -func schema_openshift_api_kubecontrolplane_v1_MasterAuthConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "MasterAuthConfig configures authentication options in addition to the standard oauth token and client certificate authenticators", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "requestHeader": { - SchemaProps: spec.SchemaProps{ - Description: "requestHeader holds options for setting up a front proxy against the API. It is optional.", - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.RequestHeaderAuthenticationOptions"), - }, - }, - "webhookTokenAuthenticators": { - SchemaProps: spec.SchemaProps{ - Description: "webhookTokenAuthenticators, if present configures remote token reviewers", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.WebhookTokenAuthenticator"), - }, - }, - }, - }, - }, - "oauthMetadataFile": { - SchemaProps: spec.SchemaProps{ - Description: "oauthMetadataFile is a path to a file containing the discovery endpoint for OAuth 2.0 Authorization Server Metadata for an external OAuth server. See IETF Draft: // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 This option is mutually exclusive with OAuthConfig", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"requestHeader", "webhookTokenAuthenticators", "oauthMetadataFile"}, + Required: []string{"enabled", "auditFilePath", "maximumFileRetentionDays", "maximumRetainedFiles", "maximumFileSizeMegabytes", "policyFile", "policyConfiguration", "logFormat", "webHookKubeConfig", "webHookMode"}, }, }, Dependencies: []string{ - "github.com/openshift/api/kubecontrolplane/v1.RequestHeaderAuthenticationOptions", "github.com/openshift/api/kubecontrolplane/v1.WebhookTokenAuthenticator"}, + "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } -func schema_openshift_api_kubecontrolplane_v1_RequestHeaderAuthenticationOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_AugmentedActiveDirectoryConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "RequestHeaderAuthenticationOptions provides options for setting up a front proxy against the entire API instead of against the /oauth endpoint.", + Description: "AugmentedActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the augmented Active Directory schema", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "clientCA": { + "usersQuery": { SchemaProps: spec.SchemaProps{ - Description: "clientCA is a file with the trusted signer certs. It is required.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "AllUsersQuery holds the template for an LDAP query that returns user entries.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), }, }, - "clientCommonNames": { + "userNameAttributes": { SchemaProps: spec.SchemaProps{ - Description: "clientCommonNames is a required list of common names to require a match from.", + Description: "userNameAttributes defines which attributes on an LDAP user entry will be interpreted as its OpenShift user name.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -29893,9 +28790,9 @@ func schema_openshift_api_kubecontrolplane_v1_RequestHeaderAuthenticationOptions }, }, }, - "usernameHeaders": { + "groupMembershipAttributes": { SchemaProps: spec.SchemaProps{ - Description: "usernameHeaders is the list of headers to check for user information. First hit wins.", + Description: "groupMembershipAttributes defines which attributes on an LDAP user entry will be interpreted as the groups it is a member of", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -29908,24 +28805,24 @@ func schema_openshift_api_kubecontrolplane_v1_RequestHeaderAuthenticationOptions }, }, }, - "groupHeaders": { + "groupsQuery": { SchemaProps: spec.SchemaProps{ - Description: "groupHeaders is the set of headers to check for group information. All are unioned.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "AllGroupsQuery holds the template for an LDAP query that returns group entries.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), }, }, - "extraHeaderPrefixes": { + "groupUIDAttribute": { SchemaProps: spec.SchemaProps{ - Description: "extraHeaderPrefixes is the set of request header prefixes to inspect for user extra. X-Remote-Extra- is suggested.", + Description: "GroupUIDAttributes defines which attribute on an LDAP group entry will be interpreted as its unique identifier. (ldapGroupUID)", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "groupNameAttributes": { + SchemaProps: spec.SchemaProps{ + Description: "groupNameAttributes defines which attributes on an LDAP group entry will be interpreted as its name to use for an OpenShift group", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -29939,232 +28836,246 @@ func schema_openshift_api_kubecontrolplane_v1_RequestHeaderAuthenticationOptions }, }, }, - Required: []string{"clientCA", "clientCommonNames", "usernameHeaders", "groupHeaders", "extraHeaderPrefixes"}, + Required: []string{"usersQuery", "userNameAttributes", "groupMembershipAttributes", "groupsQuery", "groupUIDAttribute", "groupNameAttributes"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.LDAPQuery"}, } } -func schema_openshift_api_kubecontrolplane_v1_ServiceServingCert(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_BasicAuthPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for pods fulfilling a service to serve with.", + Description: "BasicAuthPasswordIdentityProvider provides identities for users authenticating using HTTP basic auth credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "certFile": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "url": { + SchemaProps: spec.SchemaProps{ + Description: "url is the remote URL to connect to", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"certFile"}, - }, - }, - } -} - -func schema_openshift_api_kubecontrolplane_v1_UserAgentDenyRule(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "UserAgentDenyRule adds a rejection message that can be used to help a user figure out how to get an approved client", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "regex": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "regex is a regex that is checked against the User-Agent. Known variants of oc clients 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f", + Description: "ca is the CA for verifying TLS connections", Default: "", Type: []string{"string"}, Format: "", }, }, - "httpVerbs": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "httpVerbs specifies which HTTP verbs should be matched. An empty list means \"match all verbs\".", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "certFile is a file containing a PEM-encoded certificate", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "rejectionMessage": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "rejectionMessage is the message shown when rejecting a client. If it is not a set, the default message is used.", + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"regex", "httpVerbs", "rejectionMessage"}, + Required: []string{"url", "ca", "certFile", "keyFile"}, }, }, } } -func schema_openshift_api_kubecontrolplane_v1_UserAgentMatchRule(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_BuildDefaultsConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "UserAgentMatchRule describes how to match a given request based on User-Agent and HTTPVerb", + Description: "BuildDefaultsConfig controls the default information for Builds\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "regex": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "regex is a regex that is checked against the User-Agent. Known variants of oc clients 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "httpVerbs": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "httpVerbs specifies which HTTP verbs should be matched. An empty list means \"match all verbs\".", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "gitHTTPProxy": { + SchemaProps: spec.SchemaProps{ + Description: "gitHTTPProxy is the location of the HTTPProxy for Git source", + Type: []string{"string"}, + Format: "", + }, + }, + "gitHTTPSProxy": { + SchemaProps: spec.SchemaProps{ + Description: "gitHTTPSProxy is the location of the HTTPSProxy for Git source", + Type: []string{"string"}, + Format: "", + }, + }, + "gitNoProxy": { + SchemaProps: spec.SchemaProps{ + Description: "gitNoProxy is the list of domains for which the proxy should not be used", + Type: []string{"string"}, + Format: "", + }, + }, + "env": { + SchemaProps: spec.SchemaProps{ + Description: "env is a set of default environment variables that will be applied to the build if the specified variables do not exist on the build", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.EnvVar"), }, }, }, }, }, - }, - Required: []string{"regex", "httpVerbs"}, - }, - }, - } -} - -func schema_openshift_api_kubecontrolplane_v1_UserAgentMatchingConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "requiredClients": { + "sourceStrategyDefaults": { SchemaProps: spec.SchemaProps{ - Description: "requiredClients if this list is non-empty, then a User-Agent must match one of the UserAgentRegexes to be allowed", + Description: "sourceStrategyDefaults are default values that apply to builds using the source strategy.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.SourceStrategyDefaultsConfig"), + }, + }, + "imageLabels": { + SchemaProps: spec.SchemaProps{ + Description: "imageLabels is a list of labels that are applied to the resulting image. User can override a default label by providing a label with the same name in their Build/BuildConfig.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchRule"), + Ref: ref("github.com/openshift/api/build/v1.ImageLabel"), }, }, }, }, }, - "deniedClients": { + "nodeSelector": { SchemaProps: spec.SchemaProps{ - Description: "deniedClients if this list is non-empty, then a User-Agent must not match any of the UserAgentRegexes", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ + Description: "nodeSelector is a selector which must be true for the build pod to fit on a node", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.UserAgentDenyRule"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "defaultRejectionMessage": { + "annotations": { SchemaProps: spec.SchemaProps{ - Description: "defaultRejectionMessage is the message shown when rejecting a client. If it is not a set, a generic message is given.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "annotations are annotations that will be added to the build pod", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "resources": { + SchemaProps: spec.SchemaProps{ + Description: "resources defines resource requirements to execute the build.", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.ResourceRequirements"), }, }, }, - Required: []string{"requiredClients", "deniedClients", "defaultRejectionMessage"}, }, }, Dependencies: []string{ - "github.com/openshift/api/kubecontrolplane/v1.UserAgentDenyRule", "github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchRule"}, + "github.com/openshift/api/build/v1.ImageLabel", "github.com/openshift/api/legacyconfig/v1.SourceStrategyDefaultsConfig", "k8s.io/api/core/v1.EnvVar", "k8s.io/api/core/v1.ResourceRequirements"}, } } -func schema_openshift_api_kubecontrolplane_v1_WebhookTokenAuthenticator(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_BuildOverridesConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "WebhookTokenAuthenticators holds the necessary configuation options for external token authenticators", + Description: "BuildOverridesConfig controls override settings for builds\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "configFile": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "configFile is a path to a Kubeconfig file with the webhook configuration", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "cacheTTL": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "cacheTTL indicates how long an authentication result should be cached. It takes a valid time duration string (e.g. \"5m\"). If empty, you get a default timeout of 2 minutes. If zero (e.g. \"0m\"), caching is disabled", - Default: "", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"configFile", "cacheTTL"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_ActiveDirectoryConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the Active Directory schema", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "usersQuery": { + "forcePull": { SchemaProps: spec.SchemaProps{ - Description: "AllUsersQuery holds the template for an LDAP query that returns user entries.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), + Description: "forcePull indicates whether the build strategy should always be set to ForcePull=true", + Default: false, + Type: []string{"boolean"}, + Format: "", }, }, - "userNameAttributes": { + "imageLabels": { SchemaProps: spec.SchemaProps{ - Description: "userNameAttributes defines which attributes on an LDAP user entry will be interpreted as its OpenShift user name.", + Description: "imageLabels is a list of labels that are applied to the resulting image. If user provided a label in their Build/BuildConfig with the same name as one in this list, the user's label will be overwritten.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/build/v1.ImageLabel"), }, }, }, }, }, - "groupMembershipAttributes": { + "nodeSelector": { SchemaProps: spec.SchemaProps{ - Description: "groupMembershipAttributes defines which attributes on an LDAP user entry will be interpreted as the groups it is a member of", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ + Description: "nodeSelector is a selector which must be true for the build pod to fit on a node", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: "", @@ -30175,349 +29086,452 @@ func schema_openshift_api_legacyconfig_v1_ActiveDirectoryConfig(ref common.Refer }, }, }, - }, - Required: []string{"usersQuery", "userNameAttributes", "groupMembershipAttributes"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.LDAPQuery"}, - } -} - -func schema_openshift_api_legacyconfig_v1_AdmissionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "AdmissionConfig holds the necessary configuration options for admission", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "pluginConfig": { + "annotations": { SchemaProps: spec.SchemaProps{ - Description: "pluginConfig allows specifying a configuration file per admission control plugin", + Description: "annotations are annotations that will be added to the build pod", Type: []string{"object"}, AdditionalProperties: &spec.SchemaOrBool{ Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Ref: ref("github.com/openshift/api/legacyconfig/v1.AdmissionPluginConfig"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "pluginOrderOverride": { + "tolerations": { SchemaProps: spec.SchemaProps{ - Description: "pluginOrderOverride is a list of admission control plugin names that will be installed on the master. Order is significant. If empty, a default list of plugins is used.", + Description: "tolerations is a list of Tolerations that will override any existing tolerations set on a build pod.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.Toleration"), }, }, }, }, }, }, - Required: []string{"pluginConfig"}, + Required: []string{"forcePull"}, }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.AdmissionPluginConfig"}, + "github.com/openshift/api/build/v1.ImageLabel", "k8s.io/api/core/v1.Toleration"}, } } -func schema_openshift_api_legacyconfig_v1_AdmissionPluginConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_CertInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AdmissionPluginConfig holds the necessary configuration options for admission plugins", + Description: "CertInfo relates a certificate with a private key", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "location": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "location is the path to a configuration file that contains the plugin's configuration", + Description: "certFile is a file containing a PEM-encoded certificate", Default: "", Type: []string{"string"}, Format: "", }, }, - "configuration": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "configuration is an embedded configuration object to be used as the plugin's configuration. If present, it will be used instead of the path to the configuration file.", - Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"location", "configuration"}, + Required: []string{"certFile", "keyFile"}, }, }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } -func schema_openshift_api_legacyconfig_v1_AggregatorConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ClientConnectionOverrides(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AggregatorConfig holds information required to make the aggregator function.", + Description: "ClientConnectionOverrides are a set of overrides to the default client connection settings.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "proxyClientInfo": { + "acceptContentTypes": { SchemaProps: spec.SchemaProps{ - Description: "proxyClientInfo specifies the client cert/key to use when proxying to aggregated API servers", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.CertInfo"), + Description: "acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the default value of 'application/json'. This field will control all connections to the server used by a particular client.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "contentType": { + SchemaProps: spec.SchemaProps{ + Description: "contentType is the content type used when sending data to the server from this client.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "qps": { + SchemaProps: spec.SchemaProps{ + Description: "qps controls the number of queries per second allowed for this connection.", + Default: 0, + Type: []string{"number"}, + Format: "float", + }, + }, + "burst": { + SchemaProps: spec.SchemaProps{ + Description: "burst allows extra queries to accumulate when a client is exceeding its rate.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, }, - Required: []string{"proxyClientInfo"}, + Required: []string{"acceptContentTypes", "contentType", "qps", "burst"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.CertInfo"}, } } -func schema_openshift_api_legacyconfig_v1_AllowAllPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ClusterNetworkEntry(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AllowAllPasswordIdentityProvider provides identities for users authenticating using non-empty passwords\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "ClusterNetworkEntry defines an individual cluster network. The CIDRs cannot overlap with other cluster network CIDRs, CIDRs reserved for external ips, CIDRs reserved for service networks, and CIDRs reserved for ingress ips.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "cidr": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "cidr defines the total range of a cluster networks address space.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "hostSubnetLength": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", + Description: "hostSubnetLength is the number of bits of the accompanying CIDR address to allocate to each node. eg, 8 would mean that each node would have a /24 slice of the overlay network for its pod.", + Default: 0, + Type: []string{"integer"}, + Format: "int64", }, }, }, + Required: []string{"cidr", "hostSubnetLength"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_AuditConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ControllerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AuditConfig holds configuration for the audit capabilities", + Description: "ControllerConfig holds configuration values for controllers", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "enabled": { + "controllers": { SchemaProps: spec.SchemaProps{ - Description: "If this flag is set, audit log will be printed in the logs. The logs contains, method, user and a requested URL.", - Default: false, - Type: []string{"boolean"}, - Format: "", + Description: "controllers is a list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller \"+ named 'foo', '-foo' disables the controller named 'foo'. Defaults to \"*\".", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "auditFilePath": { + "election": { SchemaProps: spec.SchemaProps{ - Description: "All requests coming to the apiserver will be logged to this file.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "election defines the configuration for electing a controller instance to make changes to the cluster. If unspecified, the ControllerTTL value is checked to determine whether the legacy direct etcd election code will be used.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.ControllerElectionConfig"), }, }, - "maximumFileRetentionDays": { + "serviceServingCert": { SchemaProps: spec.SchemaProps{ - Description: "Maximum number of days to retain old log files based on the timestamp encoded in their filename.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "serviceServingCert holds configuration for service serving cert signer which creates cert/key pairs for pods fulfilling a service to serve with.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.ServiceServingCert"), }, }, - "maximumRetainedFiles": { + }, + Required: []string{"controllers", "election", "serviceServingCert"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.ControllerElectionConfig", "github.com/openshift/api/legacyconfig/v1.ServiceServingCert"}, + } +} + +func schema_openshift_api_legacyconfig_v1_ControllerElectionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ControllerElectionConfig contains configuration values for deciding how a controller will be elected to act as leader.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "lockName": { SchemaProps: spec.SchemaProps{ - Description: "Maximum number of old log files to retain.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "lockName is the resource name used to act as the lock for determining which controller instance should lead.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "maximumFileSizeMegabytes": { - SchemaProps: spec.SchemaProps{ - Description: "Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "policyFile": { + "lockNamespace": { SchemaProps: spec.SchemaProps{ - Description: "policyFile is a path to the file that defines the audit policy configuration.", + Description: "lockNamespace is the resource namespace used to act as the lock for determining which controller instance should lead. It defaults to \"kube-system\"", Default: "", Type: []string{"string"}, Format: "", }, }, - "policyConfiguration": { + "lockResource": { SchemaProps: spec.SchemaProps{ - Description: "policyConfiguration is an embedded policy configuration object to be used as the audit policy configuration. If present, it will be used instead of the path to the policy file.", - Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + Description: "lockResource is the group and resource name to use to coordinate for the controller lock. If unset, defaults to \"configmaps\".", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.GroupResource"), }, }, - "logFormat": { + }, + Required: []string{"lockName", "lockNamespace", "lockResource"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.GroupResource"}, + } +} + +func schema_openshift_api_legacyconfig_v1_DNSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "DNSConfig holds the necessary configuration options for DNS", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "bindAddress": { SchemaProps: spec.SchemaProps{ - Description: "Format of saved audits (legacy or json).", + Description: "bindAddress is the ip:port to serve DNS on", Default: "", Type: []string{"string"}, Format: "", }, }, - "webHookKubeConfig": { + "bindNetwork": { SchemaProps: spec.SchemaProps{ - Description: "Path to a .kubeconfig formatted file that defines the audit webhook configuration.", + Description: "bindNetwork is the type of network to bind to - defaults to \"tcp4\", accepts \"tcp\", \"tcp4\", and \"tcp6\"", Default: "", Type: []string{"string"}, Format: "", }, }, - "webHookMode": { + "allowRecursiveQueries": { SchemaProps: spec.SchemaProps{ - Description: "Strategy for sending audit events (block or batch).", - Default: "", - Type: []string{"string"}, + Description: "allowRecursiveQueries allows the DNS server on the master to answer queries recursively. Note that open resolvers can be used for DNS amplification attacks and the master DNS should not be made accessible to public networks.", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, }, - Required: []string{"enabled", "auditFilePath", "maximumFileRetentionDays", "maximumRetainedFiles", "maximumFileSizeMegabytes", "policyFile", "policyConfiguration", "logFormat", "webHookKubeConfig", "webHookMode"}, + Required: []string{"bindAddress", "bindNetwork", "allowRecursiveQueries"}, }, }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } -func schema_openshift_api_legacyconfig_v1_AugmentedActiveDirectoryConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_DefaultAdmissionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AugmentedActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the augmented Active Directory schema", + Description: "DefaultAdmissionConfig can be used to enable or disable various admission plugins. When this type is present as the `configuration` object under `pluginConfig` and *if* the admission plugin supports it, this will cause an \"off by default\" admission plugin to be enabled\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "usersQuery": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "AllUsersQuery holds the template for an LDAP query that returns user entries.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", }, }, - "userNameAttributes": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "userNameAttributes defines which attributes on an LDAP user entry will be interpreted as its OpenShift user name.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, - "groupMembershipAttributes": { + "disable": { SchemaProps: spec.SchemaProps{ - Description: "groupMembershipAttributes defines which attributes on an LDAP user entry will be interpreted as the groups it is a member of", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "disable turns off an admission plugin that is enabled by default.", + Default: false, + Type: []string{"boolean"}, + Format: "", }, }, - "groupsQuery": { + }, + Required: []string{"disable"}, + }, + }, + } +} + +func schema_openshift_api_legacyconfig_v1_DenyAllPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "DenyAllPasswordIdentityProvider provides no identities for users\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { SchemaProps: spec.SchemaProps{ - Description: "AllGroupsQuery holds the template for an LDAP query that returns group entries.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", }, }, - "groupUIDAttribute": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "GroupUIDAttributes defines which attribute on an LDAP group entry will be interpreted as its unique identifier. (ldapGroupUID)", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_openshift_api_legacyconfig_v1_DockerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "DockerConfig holds Docker related configuration options.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "execHandlerName": { + SchemaProps: spec.SchemaProps{ + Description: "execHandlerName is the name of the handler to use for executing commands in containers.", Default: "", Type: []string{"string"}, Format: "", }, }, - "groupNameAttributes": { + "dockerShimSocket": { SchemaProps: spec.SchemaProps{ - Description: "groupNameAttributes defines which attributes on an LDAP group entry will be interpreted as its name to use for an OpenShift group", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "dockerShimSocket is the location of the dockershim socket the kubelet uses. Currently unix socket is supported on Linux, and tcp is supported on windows. Examples:'unix:///var/run/dockershim.sock', 'tcp://localhost:3735'", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "dockerShimRootDirectory": { + SchemaProps: spec.SchemaProps{ + Description: "dockerShimRootDirectory is the dockershim root directory.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"usersQuery", "userNameAttributes", "groupMembershipAttributes", "groupsQuery", "groupUIDAttribute", "groupNameAttributes"}, + Required: []string{"execHandlerName", "dockerShimSocket", "dockerShimRootDirectory"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.LDAPQuery"}, } } -func schema_openshift_api_legacyconfig_v1_BasicAuthPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_EtcdConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "BasicAuthPasswordIdentityProvider provides identities for users authenticating using HTTP basic auth credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "EtcdConfig holds the necessary configuration options for connecting with an etcd database", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "servingInfo": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "servingInfo describes how to start serving the etcd master", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.ServingInfo"), + }, + }, + "address": { + SchemaProps: spec.SchemaProps{ + Description: "address is the advertised host:port for client connections to etcd", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "peerServingInfo": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "peerServingInfo describes how to start serving the etcd peer", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.ServingInfo"), + }, + }, + "peerAddress": { + SchemaProps: spec.SchemaProps{ + Description: "peerAddress is the advertised host:port for peer connections to etcd", + Default: "", Type: []string{"string"}, Format: "", }, }, - "url": { + "storageDirectory": { SchemaProps: spec.SchemaProps{ - Description: "url is the remote URL to connect to", + Description: "StorageDir is the path to the etcd storage directory", Default: "", Type: []string{"string"}, Format: "", }, }, + }, + Required: []string{"servingInfo", "address", "peerServingInfo", "peerAddress", "storageDirectory"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.ServingInfo"}, + } +} + +func schema_openshift_api_legacyconfig_v1_EtcdConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "EtcdConnectionInfo holds information necessary for connecting to an etcd server", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "urls": { + SchemaProps: spec.SchemaProps{ + Description: "urls are the URLs for etcd", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, "ca": { SchemaProps: spec.SchemaProps{ - Description: "ca is the CA for verifying TLS connections", + Description: "ca is a file containing trusted roots for the etcd server certificates", Default: "", Type: []string{"string"}, Format: "", @@ -30540,94 +29554,98 @@ func schema_openshift_api_legacyconfig_v1_BasicAuthPasswordIdentityProvider(ref }, }, }, - Required: []string{"url", "ca", "certFile", "keyFile"}, + Required: []string{"urls", "ca", "certFile", "keyFile"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_BuildDefaultsConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_EtcdStorageConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "BuildDefaultsConfig controls the default information for Builds\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "EtcdStorageConfig holds the necessary configuration options for the etcd storage underlying OpenShift and Kubernetes", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "kubernetesStorageVersion": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "kubernetesStorageVersion is the API version that Kube resources in etcd should be serialized to. This value should *not* be advanced until all clients in the cluster that read from etcd have code that allows them to read the new version.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "kubernetesStoragePrefix": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "kubernetesStoragePrefix is the path within etcd that the Kubernetes resources will be rooted under. This value, if changed, will mean existing objects in etcd will no longer be located. The default value is 'kubernetes.io'.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "gitHTTPProxy": { + "openShiftStorageVersion": { SchemaProps: spec.SchemaProps{ - Description: "gitHTTPProxy is the location of the HTTPProxy for Git source", + Description: "openShiftStorageVersion is the API version that OS resources in etcd should be serialized to. This value should *not* be advanced until all clients in the cluster that read from etcd have code that allows them to read the new version.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "gitHTTPSProxy": { + "openShiftStoragePrefix": { SchemaProps: spec.SchemaProps{ - Description: "gitHTTPSProxy is the location of the HTTPSProxy for Git source", + Description: "openShiftStoragePrefix is the path within etcd that the OpenShift resources will be rooted under. This value, if changed, will mean existing objects in etcd will no longer be located. The default value is 'openshift.io'.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "gitNoProxy": { + }, + Required: []string{"kubernetesStorageVersion", "kubernetesStoragePrefix", "openShiftStorageVersion", "openShiftStoragePrefix"}, + }, + }, + } +} + +func schema_openshift_api_legacyconfig_v1_GitHubIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "GitHubIdentityProvider provides identities for users authenticating using GitHub credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { SchemaProps: spec.SchemaProps{ - Description: "gitNoProxy is the list of domains for which the proxy should not be used", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "env": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "env is a set of default environment variables that will be applied to the build if the specified variables do not exist on the build", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/api/core/v1.EnvVar"), - }, - }, - }, + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, - "sourceStrategyDefaults": { + "clientID": { SchemaProps: spec.SchemaProps{ - Description: "sourceStrategyDefaults are default values that apply to builds using the source strategy.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.SourceStrategyDefaultsConfig"), + Description: "clientID is the oauth client ID", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "imageLabels": { + "clientSecret": { SchemaProps: spec.SchemaProps{ - Description: "imageLabels is a list of labels that are applied to the resulting image. User can override a default label by providing a label with the same name in their Build/BuildConfig.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/build/v1.ImageLabel"), - }, - }, - }, + Description: "clientSecret is the oauth client secret", + Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), }, }, - "nodeSelector": { + "organizations": { SchemaProps: spec.SchemaProps{ - Description: "nodeSelector is a selector which must be true for the build pod to fit on a node", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, + Description: "organizations optionally restricts which organizations are allowed to log in", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: "", @@ -30638,12 +29656,11 @@ func schema_openshift_api_legacyconfig_v1_BuildDefaultsConfig(ref common.Referen }, }, }, - "annotations": { + "teams": { SchemaProps: spec.SchemaProps{ - Description: "annotations are annotations that will be added to the build pod", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, + Description: "teams optionally restricts which teams are allowed to log in. Format is /.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: "", @@ -30654,26 +29671,36 @@ func schema_openshift_api_legacyconfig_v1_BuildDefaultsConfig(ref common.Referen }, }, }, - "resources": { + "hostname": { SchemaProps: spec.SchemaProps{ - Description: "resources defines resource requirements to execute the build.", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/api/core/v1.ResourceRequirements"), + Description: "hostname is the optional domain (e.g. \"mycompany.com\") for use with a hosted instance of GitHub Enterprise. It must match the GitHub Enterprise settings value that is configured at /setup/settings#hostname.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "ca": { + SchemaProps: spec.SchemaProps{ + Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server. If empty, the default system roots are used. This can only be configured when hostname is set to a non-empty value.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, + Required: []string{"clientID", "clientSecret", "organizations", "teams", "hostname", "ca"}, }, }, Dependencies: []string{ - "github.com/openshift/api/build/v1.ImageLabel", "github.com/openshift/api/legacyconfig/v1.SourceStrategyDefaultsConfig", "k8s.io/api/core/v1.EnvVar", "k8s.io/api/core/v1.ResourceRequirements"}, + "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_BuildOverridesConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_GitLabIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "BuildOverridesConfig controls override settings for builds\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "GitLabIdentityProvider provides identities for users authenticating using GitLab credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -30690,619 +29717,519 @@ func schema_openshift_api_legacyconfig_v1_BuildOverridesConfig(ref common.Refere Format: "", }, }, - "forcePull": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "forcePull indicates whether the build strategy should always be set to ForcePull=true", - Default: false, - Type: []string{"boolean"}, + Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", + Default: "", + Type: []string{"string"}, Format: "", }, }, - "imageLabels": { + "url": { SchemaProps: spec.SchemaProps{ - Description: "imageLabels is a list of labels that are applied to the resulting image. If user provided a label in their Build/BuildConfig with the same name as one in this list, the user's label will be overwritten.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/build/v1.ImageLabel"), - }, - }, - }, + Description: "url is the oauth server base URL", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "nodeSelector": { + "clientID": { SchemaProps: spec.SchemaProps{ - Description: "nodeSelector is a selector which must be true for the build pod to fit on a node", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "clientID is the oauth client ID", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "annotations": { + "clientSecret": { SchemaProps: spec.SchemaProps{ - Description: "annotations are annotations that will be added to the build pod", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "clientSecret is the oauth client secret", + Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), }, }, - "tolerations": { + "legacy": { SchemaProps: spec.SchemaProps{ - Description: "tolerations is a list of Tolerations that will override any existing tolerations set on a build pod.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/api/core/v1.Toleration"), - }, - }, - }, + Description: "legacy determines if OAuth2 or OIDC should be used If true, OAuth2 is used If false, OIDC is used If nil and the URL's host is gitlab.com, OIDC is used Otherwise, OAuth2 is used In a future release, nil will default to using OIDC Eventually this flag will be removed and only OIDC will be used", + Type: []string{"boolean"}, + Format: "", }, }, }, - Required: []string{"forcePull"}, + Required: []string{"ca", "url", "clientID", "clientSecret"}, }, }, Dependencies: []string{ - "github.com/openshift/api/build/v1.ImageLabel", "k8s.io/api/core/v1.Toleration"}, + "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_CertInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_GoogleIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "CertInfo relates a certificate with a private key", + Description: "GoogleIdentityProvider provides identities for users authenticating using Google credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "certFile": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "clientID": { + SchemaProps: spec.SchemaProps{ + Description: "clientID is the oauth client ID", Default: "", Type: []string{"string"}, Format: "", }, }, - "keyFile": { + "clientSecret": { SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Description: "clientSecret is the oauth client secret", + Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), + }, + }, + "hostedDomain": { + SchemaProps: spec.SchemaProps{ + Description: "hostedDomain is the optional Google App domain (e.g. \"mycompany.com\") to restrict logins to", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"certFile", "keyFile"}, + Required: []string{"clientID", "clientSecret", "hostedDomain"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_ClientConnectionOverrides(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_GrantConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClientConnectionOverrides are a set of overrides to the default client connection settings.", + Description: "GrantConfig holds the necessary configuration options for grant handlers", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "acceptContentTypes": { + "method": { SchemaProps: spec.SchemaProps{ - Description: "acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the default value of 'application/json'. This field will control all connections to the server used by a particular client.", + Description: "method determines the default strategy to use when an OAuth client requests a grant. This method will be used only if the specific OAuth client doesn't provide a strategy of their own. Valid grant handling methods are:\n - auto: always approves grant requests, useful for trusted clients\n - prompt: prompts the end user for approval of grant requests, useful for third-party clients\n - deny: always denies grant requests, useful for black-listed clients", Default: "", Type: []string{"string"}, Format: "", }, }, - "contentType": { + "serviceAccountMethod": { SchemaProps: spec.SchemaProps{ - Description: "contentType is the content type used when sending data to the server from this client.", + Description: "serviceAccountMethod is used for determining client authorization for service account oauth client. It must be either: deny, prompt", Default: "", Type: []string{"string"}, Format: "", }, }, - "qps": { - SchemaProps: spec.SchemaProps{ - Description: "qps controls the number of queries per second allowed for this connection.", - Default: 0, - Type: []string{"number"}, - Format: "float", - }, - }, - "burst": { - SchemaProps: spec.SchemaProps{ - Description: "burst allows extra queries to accumulate when a client is exceeding its rate.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, }, - Required: []string{"acceptContentTypes", "contentType", "qps", "burst"}, + Required: []string{"method", "serviceAccountMethod"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_ClusterNetworkEntry(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_GroupResource(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterNetworkEntry defines an individual cluster network. The CIDRs cannot overlap with other cluster network CIDRs, CIDRs reserved for external ips, CIDRs reserved for service networks, and CIDRs reserved for ingress ips.", + Description: "GroupResource points to a resource by its name and API group.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "cidr": { + "group": { SchemaProps: spec.SchemaProps{ - Description: "cidr defines the total range of a cluster networks address space.", + Description: "group is the name of an API group", Default: "", Type: []string{"string"}, Format: "", }, }, - "hostSubnetLength": { + "resource": { SchemaProps: spec.SchemaProps{ - Description: "hostSubnetLength is the number of bits of the accompanying CIDR address to allocate to each node. eg, 8 would mean that each node would have a /24 slice of the overlay network for its pod.", - Default: 0, - Type: []string{"integer"}, - Format: "int64", + Description: "resource is the name of a resource.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"cidr", "hostSubnetLength"}, + Required: []string{"group", "resource"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_ControllerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_HTPasswdPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ControllerConfig holds configuration values for controllers", + Description: "HTPasswdPasswordIdentityProvider provides identities for users authenticating using htpasswd credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "controllers": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "controllers is a list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller \"+ named 'foo', '-foo' disables the controller named 'foo'. Defaults to \"*\".", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", }, }, - "election": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "election defines the configuration for electing a controller instance to make changes to the cluster. If unspecified, the ControllerTTL value is checked to determine whether the legacy direct etcd election code will be used.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.ControllerElectionConfig"), + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, - "serviceServingCert": { + "file": { SchemaProps: spec.SchemaProps{ - Description: "serviceServingCert holds configuration for service serving cert signer which creates cert/key pairs for pods fulfilling a service to serve with.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ServiceServingCert"), + Description: "file is a reference to your htpasswd file", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"controllers", "election", "serviceServingCert"}, + Required: []string{"file"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.ControllerElectionConfig", "github.com/openshift/api/legacyconfig/v1.ServiceServingCert"}, } } -func schema_openshift_api_legacyconfig_v1_ControllerElectionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_HTTPServingInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ControllerElectionConfig contains configuration values for deciding how a controller will be elected to act as leader.", + Description: "HTTPServingInfo holds configuration for serving HTTP", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "lockName": { + "bindAddress": { SchemaProps: spec.SchemaProps{ - Description: "lockName is the resource name used to act as the lock for determining which controller instance should lead.", + Description: "bindAddress is the ip:port to serve on", Default: "", Type: []string{"string"}, Format: "", }, }, - "lockNamespace": { + "bindNetwork": { SchemaProps: spec.SchemaProps{ - Description: "lockNamespace is the resource namespace used to act as the lock for determining which controller instance should lead. It defaults to \"kube-system\"", + Description: "bindNetwork is the type of network to bind to - defaults to \"tcp4\", accepts \"tcp\", \"tcp4\", and \"tcp6\"", Default: "", Type: []string{"string"}, Format: "", }, }, - "lockResource": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "lockResource is the group and resource name to use to coordinate for the controller lock. If unset, defaults to \"configmaps\".", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.GroupResource"), + Description: "certFile is a file containing a PEM-encoded certificate", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - }, - Required: []string{"lockName", "lockNamespace", "lockResource"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.GroupResource"}, - } -} - -func schema_openshift_api_legacyconfig_v1_DNSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "DNSConfig holds the necessary configuration options for DNS", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "bindAddress": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "bindAddress is the ip:port to serve DNS on", + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", Default: "", Type: []string{"string"}, Format: "", }, }, - "bindNetwork": { + "clientCA": { SchemaProps: spec.SchemaProps{ - Description: "bindNetwork is the type of network to bind to - defaults to \"tcp4\", accepts \"tcp\", \"tcp4\", and \"tcp6\"", + Description: "clientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates", Default: "", Type: []string{"string"}, Format: "", }, }, - "allowRecursiveQueries": { + "namedCertificates": { SchemaProps: spec.SchemaProps{ - Description: "allowRecursiveQueries allows the DNS server on the master to answer queries recursively. Note that open resolvers can be used for DNS amplification attacks and the master DNS should not be made accessible to public networks.", - Default: false, - Type: []string{"boolean"}, + Description: "namedCertificates is a list of certificates to use to secure requests to specific hostnames", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.NamedCertificate"), + }, + }, + }, + }, + }, + "minTLSVersion": { + SchemaProps: spec.SchemaProps{ + Description: "minTLSVersion is the minimum TLS version supported. Values must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants", + Type: []string{"string"}, Format: "", }, }, + "cipherSuites": { + SchemaProps: spec.SchemaProps{ + Description: "cipherSuites contains an overridden list of ciphers for the server to support. Values must match cipher suite IDs from https://golang.org/pkg/crypto/tls/#pkg-constants", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "maxRequestsInFlight": { + SchemaProps: spec.SchemaProps{ + Description: "maxRequestsInFlight is the number of concurrent requests allowed to the server. If zero, no limit.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "requestTimeoutSeconds": { + SchemaProps: spec.SchemaProps{ + Description: "requestTimeoutSeconds is the number of seconds before requests are timed out. The default is 60 minutes, if -1 there is no limit on requests.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, }, - Required: []string{"bindAddress", "bindNetwork", "allowRecursiveQueries"}, + Required: []string{"bindAddress", "bindNetwork", "certFile", "keyFile", "clientCA", "namedCertificates", "maxRequestsInFlight", "requestTimeoutSeconds"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.NamedCertificate"}, } } -func schema_openshift_api_legacyconfig_v1_DefaultAdmissionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_IdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "DefaultAdmissionConfig can be used to enable or disable various admission plugins. When this type is present as the `configuration` object under `pluginConfig` and *if* the admission plugin supports it, this will cause an \"off by default\" admission plugin to be enabled\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "IdentityProvider provides identities for users authenticating using credentials", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "name is used to qualify the identities returned by this provider", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "challenge": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, + Description: "UseAsChallenger indicates whether to issue WWW-Authenticate challenges for this provider", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, - "disable": { + "login": { SchemaProps: spec.SchemaProps{ - Description: "disable turns off an admission plugin that is enabled by default.", + Description: "UseAsLogin indicates whether to use this identity provider for unauthenticated browsers to login against", Default: false, Type: []string{"boolean"}, Format: "", }, }, - }, - Required: []string{"disable"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_DenyAllPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "DenyAllPasswordIdentityProvider provides no identities for users\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { + "mappingMethod": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "mappingMethod determines how identities from this provider are mapped to users", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "provider": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", + Description: "provider contains the information about how to set up a specific identity provider", + Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), }, }, }, + Required: []string{"name", "challenge", "login", "mappingMethod", "provider"}, }, }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } -func schema_openshift_api_legacyconfig_v1_DockerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ImageConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "DockerConfig holds Docker related configuration options.", + Description: "ImageConfig holds the necessary configuration options for building image names for system components", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "execHandlerName": { - SchemaProps: spec.SchemaProps{ - Description: "execHandlerName is the name of the handler to use for executing commands in containers.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "dockerShimSocket": { + "format": { SchemaProps: spec.SchemaProps{ - Description: "dockerShimSocket is the location of the dockershim socket the kubelet uses. Currently unix socket is supported on Linux, and tcp is supported on windows. Examples:'unix:///var/run/dockershim.sock', 'tcp://localhost:3735'", + Description: "format is the format of the name to be built for the system component", Default: "", Type: []string{"string"}, Format: "", }, }, - "dockerShimRootDirectory": { + "latest": { SchemaProps: spec.SchemaProps{ - Description: "dockerShimRootDirectory is the dockershim root directory.", - Default: "", - Type: []string{"string"}, + Description: "latest determines if the latest tag will be pulled from the registry", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, }, - Required: []string{"execHandlerName", "dockerShimSocket", "dockerShimRootDirectory"}, + Required: []string{"format", "latest"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_EtcdConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ImagePolicyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EtcdConfig holds the necessary configuration options for connecting with an etcd database", + Description: "ImagePolicyConfig holds the necessary configuration options for limits and behavior for importing images", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "servingInfo": { + "maxImagesBulkImportedPerRepository": { SchemaProps: spec.SchemaProps{ - Description: "servingInfo describes how to start serving the etcd master", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ServingInfo"), + Description: "maxImagesBulkImportedPerRepository controls the number of images that are imported when a user does a bulk import of a container repository. This number defaults to 50 to prevent users from importing large numbers of images accidentally. Set -1 for no limit.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "address": { + "disableScheduledImport": { SchemaProps: spec.SchemaProps{ - Description: "address is the advertised host:port for client connections to etcd", - Default: "", - Type: []string{"string"}, + Description: "disableScheduledImport allows scheduled background import of images to be disabled.", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, - "peerServingInfo": { - SchemaProps: spec.SchemaProps{ - Description: "peerServingInfo describes how to start serving the etcd peer", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ServingInfo"), - }, - }, - "peerAddress": { + "scheduledImageImportMinimumIntervalSeconds": { SchemaProps: spec.SchemaProps{ - Description: "peerAddress is the advertised host:port for peer connections to etcd", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "scheduledImageImportMinimumIntervalSeconds is the minimum number of seconds that can elapse between when image streams scheduled for background import are checked against the upstream repository. The default value is 15 minutes.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "storageDirectory": { + "maxScheduledImageImportsPerMinute": { SchemaProps: spec.SchemaProps{ - Description: "StorageDir is the path to the etcd storage directory", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "maxScheduledImageImportsPerMinute is the maximum number of scheduled image streams that will be imported in the background per minute. The default value is 60. Set to -1 for unlimited.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - }, - Required: []string{"servingInfo", "address", "peerServingInfo", "peerAddress", "storageDirectory"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.ServingInfo"}, - } -} - -func schema_openshift_api_legacyconfig_v1_EtcdConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "EtcdConnectionInfo holds information necessary for connecting to an etcd server", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "urls": { + "allowedRegistriesForImport": { SchemaProps: spec.SchemaProps{ - Description: "urls are the URLs for etcd", + Description: "allowedRegistriesForImport limits the container image registries that normal users may import images from. Set this list to the registries that you trust to contain valid Docker images and that you want applications to be able to import from. Users with permission to create Images or ImageStreamMappings via the API are not affected by this policy - typically only administrators or system integrations will have those permissions.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.RegistryLocation"), }, }, }, }, }, - "ca": { + "internalRegistryHostname": { SchemaProps: spec.SchemaProps{ - Description: "ca is a file containing trusted roots for the etcd server certificates", - Default: "", + Description: "internalRegistryHostname sets the hostname for the default internal image registry. The value must be in \"hostname[:port]\" format.", Type: []string{"string"}, Format: "", }, }, - "certFile": { + "externalRegistryHostname": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", - Default: "", + Description: "externalRegistryHostname sets the hostname for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in \"hostname[:port]\" format.", Type: []string{"string"}, Format: "", }, }, - "keyFile": { + "additionalTrustedCA": { SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", - Default: "", + Description: "additionalTrustedCA is a path to a pem bundle file containing additional CAs that should be trusted during imagestream import.", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"urls", "ca", "certFile", "keyFile"}, + Required: []string{"maxImagesBulkImportedPerRepository", "disableScheduledImport", "scheduledImageImportMinimumIntervalSeconds", "maxScheduledImageImportsPerMinute"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.RegistryLocation"}, } } -func schema_openshift_api_legacyconfig_v1_EtcdStorageConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_JenkinsPipelineConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EtcdStorageConfig holds the necessary configuration options for the etcd storage underlying OpenShift and Kubernetes", + Description: "JenkinsPipelineConfig holds configuration for the Jenkins pipeline strategy", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kubernetesStorageVersion": { - SchemaProps: spec.SchemaProps{ - Description: "kubernetesStorageVersion is the API version that Kube resources in etcd should be serialized to. This value should *not* be advanced until all clients in the cluster that read from etcd have code that allows them to read the new version.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "kubernetesStoragePrefix": { + "autoProvisionEnabled": { SchemaProps: spec.SchemaProps{ - Description: "kubernetesStoragePrefix is the path within etcd that the Kubernetes resources will be rooted under. This value, if changed, will mean existing objects in etcd will no longer be located. The default value is 'kubernetes.io'.", - Default: "", - Type: []string{"string"}, + Description: "autoProvisionEnabled determines whether a Jenkins server will be spawned from the provided template when the first build config in the project with type JenkinsPipeline is created. When not specified this option defaults to true.", + Type: []string{"boolean"}, Format: "", }, }, - "openShiftStorageVersion": { + "templateNamespace": { SchemaProps: spec.SchemaProps{ - Description: "openShiftStorageVersion is the API version that OS resources in etcd should be serialized to. This value should *not* be advanced until all clients in the cluster that read from etcd have code that allows them to read the new version.", + Description: "templateNamespace contains the namespace name where the Jenkins template is stored", Default: "", Type: []string{"string"}, Format: "", }, }, - "openShiftStoragePrefix": { + "templateName": { SchemaProps: spec.SchemaProps{ - Description: "openShiftStoragePrefix is the path within etcd that the OpenShift resources will be rooted under. This value, if changed, will mean existing objects in etcd will no longer be located. The default value is 'openshift.io'.", + Description: "templateName is the name of the default Jenkins template", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"kubernetesStorageVersion", "kubernetesStoragePrefix", "openShiftStorageVersion", "openShiftStoragePrefix"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_GitHubIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "GitHubIdentityProvider provides identities for users authenticating using GitHub credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "clientID": { + "serviceName": { SchemaProps: spec.SchemaProps{ - Description: "clientID is the oauth client ID", + Description: "serviceName is the name of the Jenkins service OpenShift uses to detect whether a Jenkins pipeline handler has already been installed in a project. This value *must* match a service name in the provided template.", Default: "", Type: []string{"string"}, Format: "", }, }, - "clientSecret": { - SchemaProps: spec.SchemaProps{ - Description: "clientSecret is the oauth client secret", - Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), - }, - }, - "organizations": { - SchemaProps: spec.SchemaProps{ - Description: "organizations optionally restricts which organizations are allowed to log in", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "teams": { + "parameters": { SchemaProps: spec.SchemaProps{ - Description: "teams optionally restricts which teams are allowed to log in. Format is /.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ + Description: "parameters specifies a set of optional parameters to the Jenkins template.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: "", @@ -31313,36 +30240,18 @@ func schema_openshift_api_legacyconfig_v1_GitHubIdentityProvider(ref common.Refe }, }, }, - "hostname": { - SchemaProps: spec.SchemaProps{ - Description: "hostname is the optional domain (e.g. \"mycompany.com\") for use with a hosted instance of GitHub Enterprise. It must match the GitHub Enterprise settings value that is configured at /setup/settings#hostname.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "ca": { - SchemaProps: spec.SchemaProps{ - Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server. If empty, the default system roots are used. This can only be configured when hostname is set to a non-empty value.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, }, - Required: []string{"clientID", "clientSecret", "organizations", "teams", "hostname", "ca"}, + Required: []string{"autoProvisionEnabled", "templateNamespace", "templateName", "serviceName", "parameters"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_GitLabIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_KeystonePasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GitLabIdentityProvider provides identities for users authenticating using GitLab credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -31359,541 +30268,501 @@ func schema_openshift_api_legacyconfig_v1_GitLabIdentityProvider(ref common.Refe Format: "", }, }, + "url": { + SchemaProps: spec.SchemaProps{ + Description: "url is the remote URL to connect to", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, "ca": { SchemaProps: spec.SchemaProps{ - Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", + Description: "ca is the CA for verifying TLS connections", Default: "", Type: []string{"string"}, Format: "", }, }, - "url": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "url is the oauth server base URL", + Description: "certFile is a file containing a PEM-encoded certificate", Default: "", Type: []string{"string"}, Format: "", }, }, - "clientID": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "clientID is the oauth client ID", + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", Default: "", Type: []string{"string"}, Format: "", }, }, - "clientSecret": { + "domainName": { SchemaProps: spec.SchemaProps{ - Description: "clientSecret is the oauth client secret", - Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), + Description: "Domain Name is required for keystone v3", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "legacy": { + "useKeystoneIdentity": { SchemaProps: spec.SchemaProps{ - Description: "legacy determines if OAuth2 or OIDC should be used If true, OAuth2 is used If false, OIDC is used If nil and the URL's host is gitlab.com, OIDC is used Otherwise, OAuth2 is used In a future release, nil will default to using OIDC Eventually this flag will be removed and only OIDC will be used", + Description: "useKeystoneIdentity flag indicates that user should be authenticated by keystone ID, not by username", + Default: false, Type: []string{"boolean"}, Format: "", }, }, }, - Required: []string{"ca", "url", "clientID", "clientSecret"}, + Required: []string{"url", "ca", "certFile", "keyFile", "domainName", "useKeystoneIdentity"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_GoogleIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_KubeletConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GoogleIdentityProvider provides identities for users authenticating using Google credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "KubeletConnectionInfo holds information necessary for connecting to a kubelet", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "port": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", + Description: "port is the port to connect to kubelets on", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "apiVersion": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "ca is the CA for verifying TLS connections to kubelets", + Default: "", Type: []string{"string"}, Format: "", }, }, - "clientID": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "clientID is the oauth client ID", + Description: "certFile is a file containing a PEM-encoded certificate", Default: "", Type: []string{"string"}, Format: "", }, }, - "clientSecret": { - SchemaProps: spec.SchemaProps{ - Description: "clientSecret is the oauth client secret", - Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), - }, - }, - "hostedDomain": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "hostedDomain is the optional Google App domain (e.g. \"mycompany.com\") to restrict logins to", + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"clientID", "clientSecret", "hostedDomain"}, + Required: []string{"port", "ca", "certFile", "keyFile"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_GrantConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_KubernetesMasterConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GrantConfig holds the necessary configuration options for grant handlers", + Description: "KubernetesMasterConfig holds the necessary configuration options for the Kubernetes master", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "method": { + "apiLevels": { SchemaProps: spec.SchemaProps{ - Description: "method determines the default strategy to use when an OAuth client requests a grant. This method will be used only if the specific OAuth client doesn't provide a strategy of their own. Valid grant handling methods are:\n - auto: always approves grant requests, useful for trusted clients\n - prompt: prompts the end user for approval of grant requests, useful for third-party clients\n - deny: always denies grant requests, useful for black-listed clients", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "serviceAccountMethod": { - SchemaProps: spec.SchemaProps{ - Description: "serviceAccountMethod is used for determining client authorization for service account oauth client. It must be either: deny, prompt", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "apiLevels is a list of API levels that should be enabled on startup: v1 as examples", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - }, - Required: []string{"method", "serviceAccountMethod"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_GroupResource(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "GroupResource points to a resource by its name and API group.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "group": { + "disabledAPIGroupVersions": { SchemaProps: spec.SchemaProps{ - Description: "group is the name of an API group", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "disabledAPIGroupVersions is a map of groups to the versions (or *) that should be disabled.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, }, }, - "resource": { + "masterIP": { SchemaProps: spec.SchemaProps{ - Description: "resource is the name of a resource.", + Description: "masterIP is the public IP address of kubernetes stuff. If empty, the first result from net.InterfaceAddrs will be used.", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"group", "resource"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_HTPasswdPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "HTPasswdPasswordIdentityProvider provides identities for users authenticating using htpasswd credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "file": { + "masterEndpointReconcileTTL": { SchemaProps: spec.SchemaProps{ - Description: "file is a reference to your htpasswd file", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "masterEndpointReconcileTTL sets the time to live in seconds of an endpoint record recorded by each master. The endpoints are checked at an interval that is 2/3 of this value and this value defaults to 15s if unset. In very large clusters, this value may be increased to reduce the possibility that the master endpoint record expires (due to other load on the etcd server) and causes masters to drop in and out of the kubernetes service record. It is not recommended to set this value below 15s.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - }, - Required: []string{"file"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_HTTPServingInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "HTTPServingInfo holds configuration for serving HTTP", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "bindAddress": { + "servicesSubnet": { SchemaProps: spec.SchemaProps{ - Description: "bindAddress is the ip:port to serve on", + Description: "servicesSubnet is the subnet to use for assigning service IPs", Default: "", Type: []string{"string"}, Format: "", }, }, - "bindNetwork": { + "servicesNodePortRange": { SchemaProps: spec.SchemaProps{ - Description: "bindNetwork is the type of network to bind to - defaults to \"tcp4\", accepts \"tcp\", \"tcp4\", and \"tcp6\"", + Description: "servicesNodePortRange is the range to use for assigning service public ports on a host.", Default: "", Type: []string{"string"}, Format: "", }, }, - "certFile": { + "schedulerConfigFile": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", + Description: "schedulerConfigFile points to a file that describes how to set up the scheduler. If empty, you get the default scheduling rules.", Default: "", Type: []string{"string"}, Format: "", }, }, - "keyFile": { + "podEvictionTimeout": { SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Description: "podEvictionTimeout controls grace period for deleting pods on failed nodes. It takes valid time duration string. If empty, you get the default pod eviction timeout.", Default: "", Type: []string{"string"}, Format: "", }, }, - "clientCA": { + "proxyClientInfo": { SchemaProps: spec.SchemaProps{ - Description: "clientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "proxyClientInfo specifies the client cert/key to use when proxying to pods", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.CertInfo"), }, }, - "namedCertificates": { + "apiServerArguments": { SchemaProps: spec.SchemaProps{ - Description: "namedCertificates is a list of certificates to use to secure requests to specific hostnames", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ + Description: "apiServerArguments are key value pairs that will be passed directly to the Kube apiserver that match the apiservers's command line arguments. These are not migrated, but if you reference a value that does not exist the server will not start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.NamedCertificate"), + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, }, }, - "minTLSVersion": { - SchemaProps: spec.SchemaProps{ - Description: "minTLSVersion is the minimum TLS version supported. Values must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants", - Type: []string{"string"}, - Format: "", - }, - }, - "cipherSuites": { + "controllerArguments": { SchemaProps: spec.SchemaProps{ - Description: "cipherSuites contains an overridden list of ciphers for the server to support. Values must match cipher suite IDs from https://golang.org/pkg/crypto/tls/#pkg-constants", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ + Description: "controllerArguments are key value pairs that will be passed directly to the Kube controller manager that match the controller manager's command line arguments. These are not migrated, but if you reference a value that does not exist the server will not start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, }, }, - "maxRequestsInFlight": { - SchemaProps: spec.SchemaProps{ - Description: "maxRequestsInFlight is the number of concurrent requests allowed to the server. If zero, no limit.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "requestTimeoutSeconds": { + "schedulerArguments": { SchemaProps: spec.SchemaProps{ - Description: "requestTimeoutSeconds is the number of seconds before requests are timed out. The default is 60 minutes, if -1 there is no limit on requests.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "schedulerArguments are key value pairs that will be passed directly to the Kube scheduler that match the scheduler's command line arguments. These are not migrated, but if you reference a value that does not exist the server will not start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, }, }, }, - Required: []string{"bindAddress", "bindNetwork", "certFile", "keyFile", "clientCA", "namedCertificates", "maxRequestsInFlight", "requestTimeoutSeconds"}, + Required: []string{"apiLevels", "disabledAPIGroupVersions", "masterIP", "masterEndpointReconcileTTL", "servicesSubnet", "servicesNodePortRange", "schedulerConfigFile", "podEvictionTimeout", "proxyClientInfo", "apiServerArguments", "controllerArguments", "schedulerArguments"}, }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.NamedCertificate"}, + "github.com/openshift/api/legacyconfig/v1.CertInfo"}, } } -func schema_openshift_api_legacyconfig_v1_IdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_LDAPAttributeMapping(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "IdentityProvider provides identities for users authenticating using credentials", + Description: "LDAPAttributeMapping maps LDAP attributes to OpenShift identity fields", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { - SchemaProps: spec.SchemaProps{ - Description: "name is used to qualify the identities returned by this provider", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "challenge": { + "id": { SchemaProps: spec.SchemaProps{ - Description: "UseAsChallenger indicates whether to issue WWW-Authenticate challenges for this provider", - Default: false, - Type: []string{"boolean"}, - Format: "", + Description: "id is the list of attributes whose values should be used as the user ID. Required. LDAP standard identity attribute is \"dn\"", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "login": { + "preferredUsername": { SchemaProps: spec.SchemaProps{ - Description: "UseAsLogin indicates whether to use this identity provider for unauthenticated browsers to login against", - Default: false, - Type: []string{"boolean"}, - Format: "", + Description: "preferredUsername is the list of attributes whose values should be used as the preferred username. LDAP standard login attribute is \"uid\"", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "mappingMethod": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "mappingMethod determines how identities from this provider are mapped to users", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "name is the list of attributes whose values should be used as the display name. Optional. If unspecified, no display name is set for the identity LDAP standard display name attribute is \"cn\"", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "provider": { + "email": { SchemaProps: spec.SchemaProps{ - Description: "provider contains the information about how to set up a specific identity provider", - Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + Description: "email is the list of attributes whose values should be used as the email address. Optional. If unspecified, no email is set for the identity", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, - Required: []string{"name", "challenge", "login", "mappingMethod", "provider"}, + Required: []string{"id", "preferredUsername", "name", "email"}, }, }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } -func schema_openshift_api_legacyconfig_v1_ImageConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_LDAPPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ImageConfig holds the necessary configuration options for building image names for system components", + Description: "LDAPPasswordIdentityProvider provides identities for users authenticating using LDAP credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "format": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "format is the format of the name to be built for the system component", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "latest": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "latest determines if the latest tag will be pulled from the registry", - Default: false, - Type: []string{"boolean"}, + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"format", "latest"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_ImagePolicyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ImagePolicyConfig holds the necessary configuration options for limits and behavior for importing images", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "maxImagesBulkImportedPerRepository": { - SchemaProps: spec.SchemaProps{ - Description: "maxImagesBulkImportedPerRepository controls the number of images that are imported when a user does a bulk import of a container repository. This number defaults to 50 to prevent users from importing large numbers of images accidentally. Set -1 for no limit.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "disableScheduledImport": { + "url": { SchemaProps: spec.SchemaProps{ - Description: "disableScheduledImport allows scheduled background import of images to be disabled.", - Default: false, - Type: []string{"boolean"}, + Description: "url is an RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is\n ldap://host:port/basedn?attribute?scope?filter", + Default: "", + Type: []string{"string"}, Format: "", }, }, - "scheduledImageImportMinimumIntervalSeconds": { - SchemaProps: spec.SchemaProps{ - Description: "scheduledImageImportMinimumIntervalSeconds is the minimum number of seconds that can elapse between when image streams scheduled for background import are checked against the upstream repository. The default value is 15 minutes.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "maxScheduledImageImportsPerMinute": { + "bindDN": { SchemaProps: spec.SchemaProps{ - Description: "maxScheduledImageImportsPerMinute is the maximum number of scheduled image streams that will be imported in the background per minute. The default value is 60. Set to -1 for unlimited.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "bindDN is an optional DN to bind with during the search phase.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "allowedRegistriesForImport": { + "bindPassword": { SchemaProps: spec.SchemaProps{ - Description: "allowedRegistriesForImport limits the container image registries that normal users may import images from. Set this list to the registries that you trust to contain valid Docker images and that you want applications to be able to import from. Users with permission to create Images or ImageStreamMappings via the API are not affected by this policy - typically only administrators or system integrations will have those permissions.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.RegistryLocation"), - }, - }, - }, + Description: "bindPassword is an optional password to bind with during the search phase.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), }, }, - "internalRegistryHostname": { + "insecure": { SchemaProps: spec.SchemaProps{ - Description: "internalRegistryHostname sets the hostname for the default internal image registry. The value must be in \"hostname[:port]\" format.", - Type: []string{"string"}, + Description: "Insecure, if true, indicates the connection should not use TLS. Cannot be set to true with a URL scheme of \"ldaps://\" If false, \"ldaps://\" URLs connect using TLS, and \"ldap://\" URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, - "externalRegistryHostname": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "externalRegistryHostname sets the hostname for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in \"hostname[:port]\" format.", + Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", + Default: "", Type: []string{"string"}, Format: "", }, }, - "additionalTrustedCA": { + "attributes": { SchemaProps: spec.SchemaProps{ - Description: "additionalTrustedCA is a path to a pem bundle file containing additional CAs that should be trusted during imagestream import.", - Type: []string{"string"}, - Format: "", + Description: "attributes maps LDAP attributes to identities", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPAttributeMapping"), }, }, }, - Required: []string{"maxImagesBulkImportedPerRepository", "disableScheduledImport", "scheduledImageImportMinimumIntervalSeconds", "maxScheduledImageImportsPerMinute"}, + Required: []string{"url", "bindDN", "bindPassword", "insecure", "ca", "attributes"}, }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.RegistryLocation"}, + "github.com/openshift/api/legacyconfig/v1.LDAPAttributeMapping", "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_JenkinsPipelineConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_LDAPQuery(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "JenkinsPipelineConfig holds configuration for the Jenkins pipeline strategy", + Description: "LDAPQuery holds the options necessary to build an LDAP query", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "autoProvisionEnabled": { + "baseDN": { SchemaProps: spec.SchemaProps{ - Description: "autoProvisionEnabled determines whether a Jenkins server will be spawned from the provided template when the first build config in the project with type JenkinsPipeline is created. When not specified this option defaults to true.", - Type: []string{"boolean"}, + Description: "The DN of the branch of the directory where all searches should start from", + Default: "", + Type: []string{"string"}, Format: "", }, }, - "templateNamespace": { + "scope": { SchemaProps: spec.SchemaProps{ - Description: "templateNamespace contains the namespace name where the Jenkins template is stored", + Description: "The (optional) scope of the search. Can be: base: only the base object, one: all object on the base level, sub: the entire subtree Defaults to the entire subtree if not set", Default: "", Type: []string{"string"}, Format: "", }, }, - "templateName": { + "derefAliases": { SchemaProps: spec.SchemaProps{ - Description: "templateName is the name of the default Jenkins template", + Description: "The (optional) behavior of the search with regards to alisases. Can be: never: never dereference aliases, search: only dereference in searching, base: only dereference in finding the base object, always: always dereference Defaults to always dereferencing if not set", Default: "", Type: []string{"string"}, Format: "", }, }, - "serviceName": { + "timeout": { SchemaProps: spec.SchemaProps{ - Description: "serviceName is the name of the Jenkins service OpenShift uses to detect whether a Jenkins pipeline handler has already been installed in a project. This value *must* match a service name in the provided template.", + Description: "TimeLimit holds the limit of time in seconds that any request to the server can remain outstanding before the wait for a response is given up. If this is 0, no client-side limit is imposed", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "filter": { + SchemaProps: spec.SchemaProps{ + Description: "filter is a valid LDAP search filter that retrieves all relevant entries from the LDAP server with the base DN", Default: "", Type: []string{"string"}, Format: "", }, }, - "parameters": { + "pageSize": { SchemaProps: spec.SchemaProps{ - Description: "parameters specifies a set of optional parameters to the Jenkins template.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "pageSize is the maximum preferred page size, measured in LDAP entries. A page size of 0 means no paging will be done.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, }, - Required: []string{"autoProvisionEnabled", "templateNamespace", "templateName", "serviceName", "parameters"}, + Required: []string{"baseDN", "scope", "derefAliases", "timeout", "filter", "pageSize"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_KeystonePasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_LDAPSyncConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "LDAPSyncConfig holds the necessary configuration options to define an LDAP group sync\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -31912,554 +30781,43 @@ func schema_openshift_api_legacyconfig_v1_KeystonePasswordIdentityProvider(ref c }, "url": { SchemaProps: spec.SchemaProps{ - Description: "url is the remote URL to connect to", + Description: "Host is the scheme, host and port of the LDAP server to connect to: scheme://host:port", Default: "", Type: []string{"string"}, Format: "", }, }, - "ca": { + "bindDN": { SchemaProps: spec.SchemaProps{ - Description: "ca is the CA for verifying TLS connections", + Description: "bindDN is an optional DN to bind to the LDAP server with", Default: "", Type: []string{"string"}, Format: "", }, }, - "certFile": { + "bindPassword": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "bindPassword is an optional password to bind with during the search phase.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), }, }, - "keyFile": { + "insecure": { SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", - Default: "", - Type: []string{"string"}, + Description: "Insecure, if true, indicates the connection should not use TLS. Cannot be set to true with a URL scheme of \"ldaps://\" If false, \"ldaps://\" URLs connect using TLS, and \"ldap://\" URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, - "domainName": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "Domain Name is required for keystone v3", + Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", Default: "", Type: []string{"string"}, Format: "", }, }, - "useKeystoneIdentity": { - SchemaProps: spec.SchemaProps{ - Description: "useKeystoneIdentity flag indicates that user should be authenticated by keystone ID, not by username", - Default: false, - Type: []string{"boolean"}, - Format: "", - }, - }, - }, - Required: []string{"url", "ca", "certFile", "keyFile", "domainName", "useKeystoneIdentity"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_KubeletConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "KubeletConnectionInfo holds information necessary for connecting to a kubelet", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "port": { - SchemaProps: spec.SchemaProps{ - Description: "port is the port to connect to kubelets on", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "ca": { - SchemaProps: spec.SchemaProps{ - Description: "ca is the CA for verifying TLS connections to kubelets", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "certFile": { - SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "keyFile": { - SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"port", "ca", "certFile", "keyFile"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_KubernetesMasterConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "KubernetesMasterConfig holds the necessary configuration options for the Kubernetes master", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "apiLevels": { - SchemaProps: spec.SchemaProps{ - Description: "apiLevels is a list of API levels that should be enabled on startup: v1 as examples", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "disabledAPIGroupVersions": { - SchemaProps: spec.SchemaProps{ - Description: "disabledAPIGroupVersions is a map of groups to the versions (or *) that should be disabled.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, - }, - }, - "masterIP": { - SchemaProps: spec.SchemaProps{ - Description: "masterIP is the public IP address of kubernetes stuff. If empty, the first result from net.InterfaceAddrs will be used.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "masterEndpointReconcileTTL": { - SchemaProps: spec.SchemaProps{ - Description: "masterEndpointReconcileTTL sets the time to live in seconds of an endpoint record recorded by each master. The endpoints are checked at an interval that is 2/3 of this value and this value defaults to 15s if unset. In very large clusters, this value may be increased to reduce the possibility that the master endpoint record expires (due to other load on the etcd server) and causes masters to drop in and out of the kubernetes service record. It is not recommended to set this value below 15s.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "servicesSubnet": { - SchemaProps: spec.SchemaProps{ - Description: "servicesSubnet is the subnet to use for assigning service IPs", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "servicesNodePortRange": { - SchemaProps: spec.SchemaProps{ - Description: "servicesNodePortRange is the range to use for assigning service public ports on a host.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "schedulerConfigFile": { - SchemaProps: spec.SchemaProps{ - Description: "schedulerConfigFile points to a file that describes how to set up the scheduler. If empty, you get the default scheduling rules.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "podEvictionTimeout": { - SchemaProps: spec.SchemaProps{ - Description: "podEvictionTimeout controls grace period for deleting pods on failed nodes. It takes valid time duration string. If empty, you get the default pod eviction timeout.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "proxyClientInfo": { - SchemaProps: spec.SchemaProps{ - Description: "proxyClientInfo specifies the client cert/key to use when proxying to pods", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.CertInfo"), - }, - }, - "apiServerArguments": { - SchemaProps: spec.SchemaProps{ - Description: "apiServerArguments are key value pairs that will be passed directly to the Kube apiserver that match the apiservers's command line arguments. These are not migrated, but if you reference a value that does not exist the server will not start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, - }, - }, - "controllerArguments": { - SchemaProps: spec.SchemaProps{ - Description: "controllerArguments are key value pairs that will be passed directly to the Kube controller manager that match the controller manager's command line arguments. These are not migrated, but if you reference a value that does not exist the server will not start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, - }, - }, - "schedulerArguments": { - SchemaProps: spec.SchemaProps{ - Description: "schedulerArguments are key value pairs that will be passed directly to the Kube scheduler that match the scheduler's command line arguments. These are not migrated, but if you reference a value that does not exist the server will not start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, - }, - }, - }, - Required: []string{"apiLevels", "disabledAPIGroupVersions", "masterIP", "masterEndpointReconcileTTL", "servicesSubnet", "servicesNodePortRange", "schedulerConfigFile", "podEvictionTimeout", "proxyClientInfo", "apiServerArguments", "controllerArguments", "schedulerArguments"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.CertInfo"}, - } -} - -func schema_openshift_api_legacyconfig_v1_LDAPAttributeMapping(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "LDAPAttributeMapping maps LDAP attributes to OpenShift identity fields", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "id": { - SchemaProps: spec.SchemaProps{ - Description: "id is the list of attributes whose values should be used as the user ID. Required. LDAP standard identity attribute is \"dn\"", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "preferredUsername": { - SchemaProps: spec.SchemaProps{ - Description: "preferredUsername is the list of attributes whose values should be used as the preferred username. LDAP standard login attribute is \"uid\"", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "name": { - SchemaProps: spec.SchemaProps{ - Description: "name is the list of attributes whose values should be used as the display name. Optional. If unspecified, no display name is set for the identity LDAP standard display name attribute is \"cn\"", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "email": { - SchemaProps: spec.SchemaProps{ - Description: "email is the list of attributes whose values should be used as the email address. Optional. If unspecified, no email is set for the identity", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, - Required: []string{"id", "preferredUsername", "name", "email"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_LDAPPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "LDAPPasswordIdentityProvider provides identities for users authenticating using LDAP credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "url": { - SchemaProps: spec.SchemaProps{ - Description: "url is an RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is\n ldap://host:port/basedn?attribute?scope?filter", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "bindDN": { - SchemaProps: spec.SchemaProps{ - Description: "bindDN is an optional DN to bind with during the search phase.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "bindPassword": { - SchemaProps: spec.SchemaProps{ - Description: "bindPassword is an optional password to bind with during the search phase.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), - }, - }, - "insecure": { - SchemaProps: spec.SchemaProps{ - Description: "Insecure, if true, indicates the connection should not use TLS. Cannot be set to true with a URL scheme of \"ldaps://\" If false, \"ldaps://\" URLs connect using TLS, and \"ldap://\" URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830", - Default: false, - Type: []string{"boolean"}, - Format: "", - }, - }, - "ca": { - SchemaProps: spec.SchemaProps{ - Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "attributes": { - SchemaProps: spec.SchemaProps{ - Description: "attributes maps LDAP attributes to identities", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPAttributeMapping"), - }, - }, - }, - Required: []string{"url", "bindDN", "bindPassword", "insecure", "ca", "attributes"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.LDAPAttributeMapping", "github.com/openshift/api/legacyconfig/v1.StringSource"}, - } -} - -func schema_openshift_api_legacyconfig_v1_LDAPQuery(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "LDAPQuery holds the options necessary to build an LDAP query", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "baseDN": { - SchemaProps: spec.SchemaProps{ - Description: "The DN of the branch of the directory where all searches should start from", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "scope": { - SchemaProps: spec.SchemaProps{ - Description: "The (optional) scope of the search. Can be: base: only the base object, one: all object on the base level, sub: the entire subtree Defaults to the entire subtree if not set", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "derefAliases": { - SchemaProps: spec.SchemaProps{ - Description: "The (optional) behavior of the search with regards to alisases. Can be: never: never dereference aliases, search: only dereference in searching, base: only dereference in finding the base object, always: always dereference Defaults to always dereferencing if not set", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "timeout": { - SchemaProps: spec.SchemaProps{ - Description: "TimeLimit holds the limit of time in seconds that any request to the server can remain outstanding before the wait for a response is given up. If this is 0, no client-side limit is imposed", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "filter": { - SchemaProps: spec.SchemaProps{ - Description: "filter is a valid LDAP search filter that retrieves all relevant entries from the LDAP server with the base DN", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "pageSize": { - SchemaProps: spec.SchemaProps{ - Description: "pageSize is the maximum preferred page size, measured in LDAP entries. A page size of 0 means no paging will be done.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - }, - Required: []string{"baseDN", "scope", "derefAliases", "timeout", "filter", "pageSize"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_LDAPSyncConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "LDAPSyncConfig holds the necessary configuration options to define an LDAP group sync\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "url": { - SchemaProps: spec.SchemaProps{ - Description: "Host is the scheme, host and port of the LDAP server to connect to: scheme://host:port", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "bindDN": { - SchemaProps: spec.SchemaProps{ - Description: "bindDN is an optional DN to bind to the LDAP server with", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "bindPassword": { - SchemaProps: spec.SchemaProps{ - Description: "bindPassword is an optional password to bind with during the search phase.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), - }, - }, - "insecure": { - SchemaProps: spec.SchemaProps{ - Description: "Insecure, if true, indicates the connection should not use TLS. Cannot be set to true with a URL scheme of \"ldaps://\" If false, \"ldaps://\" URLs connect using TLS, and \"ldap://\" URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830", - Default: false, - Type: []string{"boolean"}, - Format: "", - }, - }, - "ca": { - SchemaProps: spec.SchemaProps{ - Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "groupUIDNameMapping": { + "groupUIDNameMapping": { SchemaProps: spec.SchemaProps{ Description: "LDAPGroupUIDToOpenShiftGroupNameMapping is an optional direct mapping of LDAP group UIDs to OpenShift Group names", Type: []string{"object"}, @@ -34649,7 +33007,7 @@ func schema_openshift_api_legacyconfig_v1_TokenConfig(ref common.ReferenceCallba }, "accessTokenInactivityTimeoutSeconds": { SchemaProps: spec.SchemaProps{ - Description: "accessTokenInactivityTimeoutSeconds defined the default token inactivity timeout for tokens granted by any client. Setting it to nil means the feature is completely disabled (default) The default setting can be overridden on OAuthClient basis. The value represents the maximum amount of time that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. The user will need to acquire a new token to regain access once a token times out. Valid values are: - 0: Tokens never time out - X: Tokens time out if there is no activity for X seconds The current minimum allowed value for X is 300 (5 minutes)", + Description: "accessTokenInactivityTimeoutSeconds defined the default token inactivity timeout for tokens granted by any client. Setting it to nil means the feature is completely disabled (default) The default setting can be overriden on OAuthClient basis. The value represents the maximum amount of time that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. The user will need to acquire a new token to regain access once a token times out. Valid values are: - 0: Tokens never time out - X: Tokens time out if there is no activity for X seconds The current minimum allowed value for X is 300 (5 minutes)", Type: []string{"integer"}, Format: "int32", }, @@ -35651,7 +34009,6 @@ func schema_openshift_api_machine_v1_ControlPlaneMachineSetTemplate(ref common.R "machineType": { SchemaProps: spec.SchemaProps{ Description: "machineType determines the type of Machines that should be managed by the ControlPlaneMachineSet. Currently, the only valid value is machines_v1beta1_machine_openshift_io.", - Default: "", Type: []string{"string"}, Format: "", }, @@ -36512,7 +34869,6 @@ func schema_openshift_api_machine_v1_NutanixVMDiskDeviceProperties(ref common.Re "adapterType": { SchemaProps: spec.SchemaProps{ Description: "adapterType is the adapter type of the disk address. If the deviceType is \"Disk\", the valid adapterType can be \"SCSI\", \"IDE\", \"PCI\", \"SATA\" or \"SPAPR\". If the deviceType is \"CDRom\", the valid adapterType can be \"IDE\" or \"SATA\".", - Default: "", Type: []string{"string"}, Format: "", }, @@ -36583,7 +34939,7 @@ func schema_openshift_api_machine_v1_OpenShiftMachineV1Beta1MachineTemplate(ref }, "spec": { SchemaProps: spec.SchemaProps{ - Description: "spec contains the desired configuration of the Control Plane Machines. The ProviderSpec within contains platform specific details for creating the Control Plane Machines. The ProviderSe should be complete apart from the platform specific failure domain field. This will be overridden when the Machines are created based on the FailureDomains field.", + Description: "spec contains the desired configuration of the Control Plane Machines. The ProviderSpec within contains platform specific details for creating the Control Plane Machines. The ProviderSe should be complete apart from the platform specific failure domain field. This will be overriden when the Machines are created based on the FailureDomains field.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/machine/v1beta1.MachineSpec"), }, @@ -39179,7 +37535,6 @@ func schema_openshift_api_machine_v1beta1_DataDisk(ref common.ReferenceCallback) "lun": { SchemaProps: spec.SchemaProps{ Description: "lun Specifies the logical unit number of the data disk. This value is used to identify data disks within the VM and therefore must be unique for each data disk attached to a VM. This value is also needed for referencing the data disks devices within userdata to perform disk initialization through Ignition (e.g. partition/format/mount). The value must be between 0 and 63.", - Default: 0, Type: []string{"integer"}, Format: "int32", }, @@ -39287,7 +37642,7 @@ func schema_openshift_api_machine_v1beta1_EBSBlockDeviceSpec(ref common.Referenc Properties: map[string]spec.Schema{ "deleteOnTermination": { SchemaProps: spec.SchemaProps{ - Description: "Indicates whether the EBS volume is deleted on machine termination.\n\nDeprecated: setting this field has no effect.", + Description: "Indicates whether the EBS volume is deleted on machine termination.", Type: []string{"boolean"}, Format: "", }, @@ -40429,7 +38784,7 @@ func schema_openshift_api_machine_v1beta1_MachineHealthCheckSpec(ref common.Refe }, "maxUnhealthy": { SchemaProps: spec.SchemaProps{ - Description: "Any farther remediation is only allowed if at most \"MaxUnhealthy\" machines selected by \"selector\" are not healthy. Expects either a postive integer value or a percentage value. Percentage values must be positive whole numbers and are capped at 100%. Both 0 and 0% are valid and will block all remediation. Defaults to 100% if not set.", + Description: "Any farther remediation is only allowed if at most \"MaxUnhealthy\" machines selected by \"selector\" are not healthy. Expects either a postive integer value or a percentage value. Percentage values must be positive whole numbers and are capped at 100%. Both 0 and 0% are valid and will block all remediation.", Ref: ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"), }, }, @@ -40506,6 +38861,7 @@ func schema_openshift_api_machine_v1beta1_MachineHealthCheckStatus(ref common.Re }, }, }, + Required: []string{"expectedMachines", "currentHealthy"}, }, }, Dependencies: []string{ @@ -40813,6 +39169,7 @@ func schema_openshift_api_machine_v1beta1_MachineSetStatus(ref common.ReferenceC }, }, }, + Required: []string{"replicas"}, }, }, Dependencies: []string{ @@ -41149,355 +39506,1120 @@ func schema_openshift_api_machine_v1beta1_NetworkSpec(ref common.ReferenceCallba }, }, }, - Required: []string{"devices"}, + Required: []string{"devices"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.NetworkDeviceSpec"}, + } +} + +func schema_openshift_api_machine_v1beta1_OSDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "osType": { + SchemaProps: spec.SchemaProps{ + Description: "osType is the operating system type of the OS disk. Possible values include \"Linux\" and \"Windows\".", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "managedDisk": { + SchemaProps: spec.SchemaProps{ + Description: "managedDisk specifies the Managed Disk parameters for the OS disk.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.OSDiskManagedDiskParameters"), + }, + }, + "diskSizeGB": { + SchemaProps: spec.SchemaProps{ + Description: "diskSizeGB is the size in GB to assign to the data disk.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "diskSettings": { + SchemaProps: spec.SchemaProps{ + Description: "diskSettings describe ephemeral disk settings for the os disk.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.DiskSettings"), + }, + }, + "cachingType": { + SchemaProps: spec.SchemaProps{ + Description: "cachingType specifies the caching requirements. Possible values include: 'None', 'ReadOnly', 'ReadWrite'. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is `None`.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"osType", "managedDisk", "diskSizeGB"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.DiskSettings", "github.com/openshift/api/machine/v1beta1.OSDiskManagedDiskParameters"}, + } +} + +func schema_openshift_api_machine_v1beta1_OSDiskManagedDiskParameters(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "OSDiskManagedDiskParameters is the parameters of a OSDisk managed disk.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "storageAccountType": { + SchemaProps: spec.SchemaProps{ + Description: "storageAccountType is the storage account type to use. Possible values include \"Standard_LRS\", \"Premium_LRS\".", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "diskEncryptionSet": { + SchemaProps: spec.SchemaProps{ + Description: "diskEncryptionSet is the disk encryption set properties", + Ref: ref("github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"), + }, + }, + "securityProfile": { + SchemaProps: spec.SchemaProps{ + Description: "securityProfile specifies the security profile for the managed disk.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.VMDiskSecurityProfile"), + }, + }, + }, + Required: []string{"storageAccountType"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters", "github.com/openshift/api/machine/v1beta1.VMDiskSecurityProfile"}, + } +} + +func schema_openshift_api_machine_v1beta1_ObjectMeta(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create. This is a copy of customizable fields from metav1.ObjectMeta.\n\nObjectMeta is embedded in `Machine.Spec`, `MachineDeployment.Template` and `MachineSet.Template`, which are not top-level Kubernetes objects. Given that metav1.ObjectMeta has lots of special cases and read-only fields which end up in the generated CRD validation, having it as a subset simplifies the API and some issues that can impact user experience.\n\nDuring the [upgrade to controller-tools@v2](https://github.com/kubernetes-sigs/cluster-api/pull/1054) for v1alpha2, we noticed a failure would occur running Cluster API test suite against the new CRDs, specifically `spec.metadata.creationTimestamp in body must be of type string: \"null\"`. The investigation showed that `controller-tools@v2` behaves differently than its previous version when handling types from [metav1](k8s.io/apimachinery/pkg/apis/meta/v1) package.\n\nIn more details, we found that embedded (non-top level) types that embedded `metav1.ObjectMeta` had validation properties, including for `creationTimestamp` (metav1.Time). The `metav1.Time` type specifies a custom json marshaller that, when IsZero() is true, returns `null` which breaks validation because the field isn't marked as nullable.\n\nIn future versions, controller-tools@v2 might allow overriding the type and validation for embedded types. When that happens, this hack should be revisited.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names", + Type: []string{"string"}, + Format: "", + }, + }, + "generateName": { + SchemaProps: spec.SchemaProps{ + Description: "generateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + Type: []string{"string"}, + Format: "", + }, + }, + "namespace": { + SchemaProps: spec.SchemaProps{ + Description: "namespace defines the space within each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces", + Type: []string{"string"}, + Format: "", + }, + }, + "labels": { + SchemaProps: spec.SchemaProps{ + Description: "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "annotations": { + SchemaProps: spec.SchemaProps{ + Description: "annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "ownerReferences": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "uid", + }, + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"}, + } +} + +func schema_openshift_api_machine_v1beta1_Placement(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Placement indicates where to create the instance in AWS", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "region": { + SchemaProps: spec.SchemaProps{ + Description: "region is the region to use to create the instance", + Type: []string{"string"}, + Format: "", + }, + }, + "availabilityZone": { + SchemaProps: spec.SchemaProps{ + Description: "availabilityZone is the availability zone of the instance", + Type: []string{"string"}, + Format: "", + }, + }, + "tenancy": { + SchemaProps: spec.SchemaProps{ + Description: "tenancy indicates if instance should run on shared or single-tenant hardware. There are supported 3 options: default, dedicated and host.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_openshift_api_machine_v1beta1_ProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ProviderSpec defines the configuration to use during node creation.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "value": { + SchemaProps: spec.SchemaProps{ + Description: "value is an inlined, serialized representation of the resource configuration. It is recommended that providers maintain their own versioned API types that should be serialized/deserialized from this field, akin to component config.", + Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/runtime.RawExtension"}, + } +} + +func schema_openshift_api_machine_v1beta1_ResourceManagerTag(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ResourceManagerTag is a tag to apply to GCP resources created for the cluster.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "parentID": { + SchemaProps: spec.SchemaProps{ + Description: "parentID is the ID of the hierarchical resource where the tags are defined e.g. at the Organization or the Project level. To find the Organization or Project ID ref https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects An OrganizationID can have a maximum of 32 characters and must consist of decimal numbers, and cannot have leading zeroes. A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, numbers, and hyphens, and must start with a letter, and cannot end with a hyphen.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "key": { + SchemaProps: spec.SchemaProps{ + Description: "key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot be empty. Tag key must begin and end with an alphanumeric character, and must contain only uppercase, lowercase alphanumeric characters, and the following special characters `._-`.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "value": { + SchemaProps: spec.SchemaProps{ + Description: "value is the value part of the tag. A tag value can have a maximum of 63 characters and cannot be empty. Tag value must begin and end with an alphanumeric character, and must contain only uppercase, lowercase alphanumeric characters, and the following special characters `_-.@%=+:,*#&(){}[]` and spaces.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"parentID", "key", "value"}, + }, + }, + } +} + +func schema_openshift_api_machine_v1beta1_SecurityProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SecurityProfile specifies the Security profile settings for a virtual machine or virtual machine scale set.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "encryptionAtHost": { + SchemaProps: spec.SchemaProps{ + Description: "encryptionAtHost indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState. Default is disabled.", + Type: []string{"boolean"}, + Format: "", + }, + }, + "settings": { + SchemaProps: spec.SchemaProps{ + Description: "settings specify the security type and the UEFI settings of the virtual machine. This field can be set for Confidential VMs and Trusted Launch for VMs.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.SecuritySettings"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.SecuritySettings"}, + } +} + +func schema_openshift_api_machine_v1beta1_SecuritySettings(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SecuritySettings define the security type and the UEFI settings of the virtual machine.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "securityType": { + SchemaProps: spec.SchemaProps{ + Description: "securityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UEFISettings. The default behavior is: UEFISettings will not be enabled unless this property is set.", + Type: []string{"string"}, + Format: "", + }, + }, + "confidentialVM": { + SchemaProps: spec.SchemaProps{ + Description: "confidentialVM specifies the security configuration of the virtual machine. For more information regarding Confidential VMs, please refer to: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", + Ref: ref("github.com/openshift/api/machine/v1beta1.ConfidentialVM"), + }, + }, + "trustedLaunch": { + SchemaProps: spec.SchemaProps{ + Description: "trustedLaunch specifies the security configuration of the virtual machine. For more information regarding TrustedLaunch for VMs, please refer to: https://learn.microsoft.com/azure/virtual-machines/trusted-launch", + Ref: ref("github.com/openshift/api/machine/v1beta1.TrustedLaunch"), + }, + }, + }, + Required: []string{"securityType"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "securityType", + "fields-to-discriminateBy": map[string]interface{}{ + "confidentialVM": "ConfidentialVM", + "trustedLaunch": "TrustedLaunch", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.ConfidentialVM", "github.com/openshift/api/machine/v1beta1.TrustedLaunch"}, + } +} + +func schema_openshift_api_machine_v1beta1_SpotMarketOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SpotMarketOptions defines the options available to a user when configuring Machines to run on Spot instances. Most users should provide an empty struct.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "maxPrice": { + SchemaProps: spec.SchemaProps{ + Description: "The maximum price the user is willing to pay for their instances Default: On-Demand price", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_openshift_api_machine_v1beta1_SpotVMOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SpotVMOptions defines the options relevant to running the Machine on Spot VMs", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "maxPrice": { + SchemaProps: spec.SchemaProps{ + Description: "maxPrice defines the maximum price the user is willing to pay for Spot VM instances", + Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/api/resource.Quantity"}, + } +} + +func schema_openshift_api_machine_v1beta1_TagSpecification(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "TagSpecification is the name/value pair for a tag", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name of the tag", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "value": { + SchemaProps: spec.SchemaProps{ + Description: "value of the tag", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"name", "value"}, + }, + }, + } +} + +func schema_openshift_api_machine_v1beta1_TrustedLaunch(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "TrustedLaunch defines the UEFI settings for the virtual machine.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "uefiSettings": { + SchemaProps: spec.SchemaProps{ + Description: "uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.UEFISettings"), + }, + }, + }, + Required: []string{"uefiSettings"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.UEFISettings"}, + } +} + +func schema_openshift_api_machine_v1beta1_UEFISettings(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "UEFISettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "secureBoot": { + SchemaProps: spec.SchemaProps{ + Description: "secureBoot specifies whether secure boot should be enabled on the virtual machine. Secure Boot verifies the digital signature of all boot components and halts the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", + Type: []string{"string"}, + Format: "", + }, + }, + "virtualizedTrustedPlatformModule": { + SchemaProps: spec.SchemaProps{ + Description: "virtualizedTrustedPlatformModule specifies whether vTPM should be enabled on the virtual machine. When enabled the virtualized trusted platform module measurements are used to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. This is required to be enabled if SecurityEncryptionType is defined. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_openshift_api_machine_v1beta1_UnhealthyCondition(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "UnhealthyCondition represents a Node condition type and value with a timeout specified as a duration. When the named condition has been in the given status for at least the timeout value, a node is considered unhealthy.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "timeout": { + SchemaProps: spec.SchemaProps{ + Description: "Expects an unsigned duration string of decimal numbers each with optional fraction and a unit suffix, eg \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"), + }, + }, + }, + Required: []string{"type", "status", "timeout"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Duration"}, + } +} + +func schema_openshift_api_machine_v1beta1_VMDiskSecurityProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "VMDiskSecurityProfile specifies the security profile settings for the managed disk. It can be set only for Confidential VMs.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "diskEncryptionSet": { + SchemaProps: spec.SchemaProps{ + Description: "diskEncryptionSet specifies the customer managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"), + }, + }, + "securityEncryptionType": { + SchemaProps: spec.SchemaProps{ + Description: "securityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When set to VMGuestStateOnly, the vTPM should be enabled. When set to DiskWithVMGuestState, both SecureBoot and vTPM should be enabled. If the above conditions are not fulfilled, the VM will not be created and the respective error will be returned. It can be set only for Confidential VMs. Confidential VMs are defined by their SecurityProfile.SecurityType being set to ConfidentialVM, the SecurityEncryptionType of their OS disk being set to one of the allowed values and by enabling the respective SecurityProfile.UEFISettings of the VM (i.e. vTPM and SecureBoot), depending on the selected SecurityEncryptionType. For further details on Azure Confidential VMs, please refer to the respective documentation: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"}, + } +} + +func schema_openshift_api_machine_v1beta1_VSphereDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "VSphereDisk describes additional disks for vSphere.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is used to identify the disk definition. name is required needs to be unique so that it can be used to clearly identify purpose of the disk. It must be at most 80 characters in length and must consist only of alphanumeric characters, hyphens and underscores, and must start and end with an alphanumeric character.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "sizeGiB": { + SchemaProps: spec.SchemaProps{ + Description: "sizeGiB is the size of the disk in GiB. The maximum supported size 16384 GiB.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "provisioningMode": { + SchemaProps: spec.SchemaProps{ + Description: "provisioningMode is an optional field that specifies the provisioning type to be used by this vSphere data disk. Allowed values are \"Thin\", \"Thick\", \"EagerlyZeroed\", and omitted. When set to Thin, the disk will be made using thin provisioning allocating the bare minimum space. When set to Thick, the full disk size will be allocated when disk is created. When set to EagerlyZeroed, the disk will be created using eager zero provisioning. An eager zeroed thick disk has all space allocated and wiped clean of any previous contents on the physical media at creation time. Such disks may take longer time during creation compared to other disk formats. When omitted, no setting will be applied to the data disk and the provisioning mode for the disk will be determined by the default storage policy configured for the datastore in vSphere.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"name", "sizeGiB"}, + }, + }, + } +} + +func schema_openshift_api_machine_v1beta1_VSphereMachineProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "VSphereMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field for an VSphere virtual machine. It is used by the vSphere machine actuator to create a single Machine. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "userDataSecret": { + SchemaProps: spec.SchemaProps{ + Description: "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", + Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + }, + }, + "credentialsSecret": { + SchemaProps: spec.SchemaProps{ + Description: "credentialsSecret is a reference to the secret with vSphere credentials.", + Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + }, + }, + "template": { + SchemaProps: spec.SchemaProps{ + Description: "template is the name, inventory path, or instance UUID of the template used to clone new machines.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "workspace": { + SchemaProps: spec.SchemaProps{ + Description: "workspace describes the workspace to use for the machine.", + Ref: ref("github.com/openshift/api/machine/v1beta1.Workspace"), + }, + }, + "network": { + SchemaProps: spec.SchemaProps{ + Description: "network is the network configuration for this machine's VM.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.NetworkSpec"), + }, + }, + "numCPUs": { + SchemaProps: spec.SchemaProps{ + Description: "numCPUs is the number of virtual processors in a virtual machine. Defaults to the analogue property value in the template from which this machine is cloned.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "numCoresPerSocket": { + SchemaProps: spec.SchemaProps{ + Description: "NumCPUs is the number of cores among which to distribute CPUs in this virtual machine. Defaults to the analogue property value in the template from which this machine is cloned.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "memoryMiB": { + SchemaProps: spec.SchemaProps{ + Description: "memoryMiB is the size of a virtual machine's memory, in MiB. Defaults to the analogue property value in the template from which this machine is cloned.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "diskGiB": { + SchemaProps: spec.SchemaProps{ + Description: "diskGiB is the size of a virtual machine's disk, in GiB. Defaults to the analogue property value in the template from which this machine is cloned. This parameter will be ignored if 'LinkedClone' CloneMode is set.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "tagIDs": { + SchemaProps: spec.SchemaProps{ + Description: "tagIDs is an optional set of tags to add to an instance. Specified tagIDs must use URN-notation instead of display names. A maximum of 10 tag IDs may be specified.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "snapshot": { + SchemaProps: spec.SchemaProps{ + Description: "snapshot is the name of the snapshot from which the VM was cloned", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "cloneMode": { + SchemaProps: spec.SchemaProps{ + Description: "cloneMode specifies the type of clone operation. The LinkedClone mode is only support for templates that have at least one snapshot. If the template has no snapshots, then CloneMode defaults to FullClone. When LinkedClone mode is enabled the DiskGiB field is ignored as it is not possible to expand disks of linked clones. Defaults to FullClone. When using LinkedClone, if no snapshots exist for the source template, falls back to FullClone.", + Type: []string{"string"}, + Format: "", + }, + }, + "dataDisks": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "dataDisks is a list of non OS disks to be created and attached to the VM. The max number of disk allowed to be attached is currently 29. The max number of disks for any controller is 30, but VM template will always have OS disk so that will leave 29 disks on any controller type.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.VSphereDisk"), + }, + }, + }, + }, + }, + }, + Required: []string{"template", "network"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.NetworkSpec", "github.com/openshift/api/machine/v1beta1.VSphereDisk", "github.com/openshift/api/machine/v1beta1.Workspace", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_machine_v1beta1_VSphereMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "VSphereMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains VSphere-specific status information. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "instanceId": { + SchemaProps: spec.SchemaProps{ + Description: "instanceId is the ID of the instance in VSphere", + Type: []string{"string"}, + Format: "", + }, + }, + "instanceState": { + SchemaProps: spec.SchemaProps{ + Description: "instanceState is the provisioning state of the VSphere Instance.", + Type: []string{"string"}, + Format: "", + }, + }, + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, + }, + }, + "taskRef": { + SchemaProps: spec.SchemaProps{ + Description: "taskRef is a managed object reference to a Task related to the machine. This value is set automatically at runtime and should not be set or modified by users.", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.NetworkDeviceSpec"}, + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } -func schema_openshift_api_machine_v1beta1_OSDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_Workspace(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "WorkspaceConfig defines a workspace configuration for the vSphere cloud provider.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "osType": { + "server": { SchemaProps: spec.SchemaProps{ - Description: "osType is the operating system type of the OS disk. Possible values include \"Linux\" and \"Windows\".", - Default: "", + Description: "server is the IP address or FQDN of the vSphere endpoint.", Type: []string{"string"}, Format: "", }, }, - "managedDisk": { + "datacenter": { SchemaProps: spec.SchemaProps{ - Description: "managedDisk specifies the Managed Disk parameters for the OS disk.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.OSDiskManagedDiskParameters"), + Description: "datacenter is the datacenter in which VMs are created/located.", + Type: []string{"string"}, + Format: "", }, }, - "diskSizeGB": { + "folder": { SchemaProps: spec.SchemaProps{ - Description: "diskSizeGB is the size in GB to assign to the data disk.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "folder is the folder in which VMs are created/located.", + Type: []string{"string"}, + Format: "", }, }, - "diskSettings": { + "datastore": { SchemaProps: spec.SchemaProps{ - Description: "diskSettings describe ephemeral disk settings for the os disk.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.DiskSettings"), + Description: "datastore is the datastore in which VMs are created/located.", + Type: []string{"string"}, + Format: "", }, }, - "cachingType": { + "resourcePool": { SchemaProps: spec.SchemaProps{ - Description: "cachingType specifies the caching requirements. Possible values include: 'None', 'ReadOnly', 'ReadWrite'. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is `None`.", + Description: "resourcePool is the resource pool in which VMs are created/located.", + Type: []string{"string"}, + Format: "", + }, + }, + "vmGroup": { + SchemaProps: spec.SchemaProps{ + Description: "vmGroup is the cluster vm group in which virtual machines will be added for vm host group based zonal.", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"osType", "managedDisk", "diskSizeGB"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.DiskSettings", "github.com/openshift/api/machine/v1beta1.OSDiskManagedDiskParameters"}, } } -func schema_openshift_api_machine_v1beta1_OSDiskManagedDiskParameters(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_BuildInputs(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OSDiskManagedDiskParameters is the parameters of a OSDisk managed disk.", + Description: "BuildInputs holds all of the information needed to trigger a build", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "storageAccountType": { + "baseOSExtensionsImagePullspec": { SchemaProps: spec.SchemaProps{ - Description: "storageAccountType is the storage account type to use. Possible values include \"Standard_LRS\", \"Premium_LRS\".", - Default: "", + Description: "baseOSExtensionsImagePullspec is the base Extensions image used in the build process the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", Type: []string{"string"}, Format: "", }, }, - "diskEncryptionSet": { + "baseOSImagePullspec": { SchemaProps: spec.SchemaProps{ - Description: "diskEncryptionSet is the disk encryption set properties", - Ref: ref("github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"), + Description: "baseOSImagePullspec is the base OSImage we use to build our custom image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", + Type: []string{"string"}, + Format: "", }, }, - "securityProfile": { + "baseImagePullSecret": { SchemaProps: spec.SchemaProps{ - Description: "securityProfile specifies the security profile for the managed disk.", + Description: "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.VMDiskSecurityProfile"), + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference"), }, }, - }, - Required: []string{"storageAccountType"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters", "github.com/openshift/api/machine/v1beta1.VMDiskSecurityProfile"}, - } -} - -func schema_openshift_api_machine_v1beta1_ObjectMeta(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create. This is a copy of customizable fields from metav1.ObjectMeta.\n\nObjectMeta is embedded in `Machine.Spec`, `MachineDeployment.Template` and `MachineSet.Template`, which are not top-level Kubernetes objects. Given that metav1.ObjectMeta has lots of special cases and read-only fields which end up in the generated CRD validation, having it as a subset simplifies the API and some issues that can impact user experience.\n\nDuring the [upgrade to controller-tools@v2](https://github.com/kubernetes-sigs/cluster-api/pull/1054) for v1alpha2, we noticed a failure would occur running Cluster API test suite against the new CRDs, specifically `spec.metadata.creationTimestamp in body must be of type string: \"null\"`. The investigation showed that `controller-tools@v2` behaves differently than its previous version when handling types from [metav1](k8s.io/apimachinery/pkg/apis/meta/v1) package.\n\nIn more details, we found that embedded (non-top level) types that embedded `metav1.ObjectMeta` had validation properties, including for `creationTimestamp` (metav1.Time). The `metav1.Time` type specifies a custom json marshaller that, when IsZero() is true, returns `null` which breaks validation because the field isn't marked as nullable.\n\nIn future versions, controller-tools@v2 might allow overriding the type and validation for embedded types. When that happens, this hack should be revisited.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "name": { + "imageBuilder": { SchemaProps: spec.SchemaProps{ - Description: "name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names", - Type: []string{"string"}, - Format: "", + Description: "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig", + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSImageBuilder"), }, }, - "generateName": { + "renderedImagePushSecret": { SchemaProps: spec.SchemaProps{ - Description: "generateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", - Type: []string{"string"}, - Format: "", + Description: "renderedImagePushSecret is the secret used to connect to a user registry. the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them will only need to pull the image in order to use it.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference"), }, }, - "namespace": { + "renderedImagePushspec": { SchemaProps: spec.SchemaProps{ - Description: "namespace defines the space within each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces", + Description: "renderedImagePushspec describes the location of the final image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", + Default: "", Type: []string{"string"}, Format: "", }, }, - "labels": { - SchemaProps: spec.SchemaProps{ - Description: "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "annotations": { + "releaseVersion": { SchemaProps: spec.SchemaProps{ - Description: "annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the dockerfile that builds the OS image.", + Type: []string{"string"}, + Format: "", }, }, - "ownerReferences": { + "containerFile": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ "x-kubernetes-list-map-keys": []interface{}{ - "uid", + "containerfileArch", }, "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-merge-key": "containerfileArch", "x-kubernetes-patch-strategy": "merge", }, }, SchemaProps: spec.SchemaProps{ - Description: "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + Description: "containerFile describes the custom data the user has specified to build into the image. this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"), + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSContainerfile"), }, }, }, }, }, }, + Required: []string{"baseImagePullSecret", "imageBuilder", "renderedImagePushSecret", "renderedImagePushspec"}, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"}, + "github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSContainerfile", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSImageBuilder"}, } } -func schema_openshift_api_machine_v1beta1_Placement(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_BuildOutputs(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Placement indicates where to create the instance in AWS", + Description: "BuildOutputs holds all information needed to handle booting the image after a build", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "region": { - SchemaProps: spec.SchemaProps{ - Description: "region is the region to use to create the instance", - Type: []string{"string"}, - Format: "", - }, - }, - "availabilityZone": { + "currentImagePullSecret": { SchemaProps: spec.SchemaProps{ - Description: "availabilityZone is the availability zone of the instance", - Type: []string{"string"}, - Format: "", + Description: "currentImagePullSecret is the secret used to pull the final produced image. must live in the openshift-machine-config-operator namespace the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference"), }, }, - "tenancy": { - SchemaProps: spec.SchemaProps{ - Description: "tenancy indicates if instance should run on shared or single-tenant hardware. There are supported 3 options: default, dedicated and host.", - Type: []string{"string"}, - Format: "", + }, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "fields-to-discriminateBy": map[string]interface{}{ + "currentImagePullSecret": "CurrentImagePullSecret", + }, }, }, }, }, }, + Dependencies: []string{ + "github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference"}, } } -func schema_openshift_api_machine_v1beta1_ProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_ImageSecretObjectReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ProviderSpec defines the configuration to use during node creation.", + Description: "Refers to the name of an image registry push/pull secret needed in the build process.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "value": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "value is an inlined, serialized representation of the resource configuration. It is recommended that providers maintain their own versioned API types that should be serialized/deserialized from this field, akin to component config.", - Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + Description: "name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, + Required: []string{"name"}, }, }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } -func schema_openshift_api_machine_v1beta1_ResourceManagerTag(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MCOObjectReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ResourceManagerTag is a tag to apply to GCP resources created for the cluster.", + Description: "MCOObjectReference holds information about an object the MCO either owns or modifies in some way", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "parentID": { - SchemaProps: spec.SchemaProps{ - Description: "parentID is the ID of the hierarchical resource where the tags are defined e.g. at the Organization or the Project level. To find the Organization or Project ID ref https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects An OrganizationID can have a maximum of 32 characters and must consist of decimal numbers, and cannot have leading zeroes. A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, numbers, and hyphens, and must start with a letter, and cannot end with a hyphen.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "key": { - SchemaProps: spec.SchemaProps{ - Description: "key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot be empty. Tag key must begin and end with an alphanumeric character, and must contain only uppercase, lowercase alphanumeric characters, and the following special characters `._-`.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "value": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "value is the value part of the tag. A tag value can have a maximum of 63 characters and cannot be empty. Tag value must begin and end with an alphanumeric character, and must contain only uppercase, lowercase alphanumeric characters, and the following special characters `_-.@%=+:,*#&(){}[]` and spaces.", + Description: "name is the name of the object being referenced. For example, this can represent a machine config pool or node name. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"parentID", "key", "value"}, + Required: []string{"name"}, }, }, } } -func schema_openshift_api_machine_v1beta1_SecurityProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNode(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "SecurityProfile specifies the Security profile settings for a virtual machine or virtual machine scale set.", + Description: "MachineConfigNode describes the health of the Machines on the system Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "encryptionAtHost": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "encryptionAtHost indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState. Default is disabled.", - Type: []string{"boolean"}, + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, Format: "", }, }, - "settings": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "settings specify the security type and the UEFI settings of the virtual machine. This field can be set for Confidential VMs and Trusted Launch for VMs.", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object metadata.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.SecuritySettings"), + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "spec describes the configuration of the machine config node.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status describes the last observed state of this machine config node.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatus"), }, }, }, + Required: []string{"spec"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.SecuritySettings"}, + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpec", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1beta1_SecuritySettings(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "SecuritySettings define the security type and the UEFI settings of the virtual machine.", + Description: "MachineConfigNodeList describes all of the MachinesStates on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "securityType": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "securityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UEFISettings. The default behavior is: UEFISettings will not be enabled unless this property is set.", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "confidentialVM": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "confidentialVM specifies the security configuration of the virtual machine. For more information regarding Confidential VMs, please refer to: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", - Ref: ref("github.com/openshift/api/machine/v1beta1.ConfidentialVM"), + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, - "trustedLaunch": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "trustedLaunch specifies the security configuration of the virtual machine. For more information regarding TrustedLaunch for VMs, please refer to: https://learn.microsoft.com/azure/virtual-machines/trusted-launch", - Ref: ref("github.com/openshift/api/machine/v1beta1.TrustedLaunch"), + Description: "metadata is the standard list metadata.", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), }, }, - }, - Required: []string{"securityType"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "securityType", - "fields-to-discriminateBy": map[string]interface{}{ - "confidentialVM": "ConfidentialVM", - "trustedLaunch": "TrustedLaunch", + "items": { + SchemaProps: spec.SchemaProps{ + Description: "items contains a collection of MachineConfigNode resources.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNode"), + }, + }, }, }, }, @@ -41505,238 +40627,250 @@ func schema_openshift_api_machine_v1beta1_SecuritySettings(ref common.ReferenceC }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.ConfidentialVM", "github.com/openshift/api/machine/v1beta1.TrustedLaunch"}, + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNode", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_machine_v1beta1_SpotMarketOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "SpotMarketOptions defines the options available to a user when configuring Machines to run on Spot instances. Most users should provide an empty struct.", + Description: "MachineConfigNodeSpec describes the MachineConfigNode we are managing.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "maxPrice": { + "node": { SchemaProps: spec.SchemaProps{ - Description: "The maximum price the user is willing to pay for their instances Default: On-Demand price", - Type: []string{"string"}, - Format: "", + Description: "node contains a reference to the node for this machine config node.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference"), }, }, - }, - }, - }, - } -} - -func schema_openshift_api_machine_v1beta1_SpotVMOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "SpotVMOptions defines the options relevant to running the Machine on Spot VMs", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "maxPrice": { + "pool": { SchemaProps: spec.SchemaProps{ - Description: "maxPrice defines the maximum price the user is willing to pay for Spot VM instances", - Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), + Description: "pool contains a reference to the machine config pool that this machine config node's referenced node belongs to.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference"), + }, + }, + "configVersion": { + SchemaProps: spec.SchemaProps{ + Description: "configVersion holds the desired config version for the node targeted by this machine config node resource. The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates the new machine config against the current machine config.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpecMachineConfigVersion"), }, }, }, + Required: []string{"node", "pool", "configVersion"}, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/api/resource.Quantity"}, + "github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpecMachineConfigVersion"}, } } -func schema_openshift_api_machine_v1beta1_TagSpecification(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeSpecMachineConfigVersion(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "TagSpecification is the name/value pair for a tag", + Description: "MachineConfigNodeSpecMachineConfigVersion holds the desired config version for the current observed machine config node. When Current is not equal to Desired, the MachineConfigOperator is in an upgrade phase and the machine config node will take account of upgrade related events. Otherwise, they will be ignored given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { - SchemaProps: spec.SchemaProps{ - Description: "name of the tag", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "value": { + "desired": { SchemaProps: spec.SchemaProps{ - Description: "value of the tag", + Description: "desired is the name of the machine config that the the node should be upgraded to. This value is set when the machine config pool generates a new version of its rendered configuration. When this value is changed, the machine config daemon starts the node upgrade process. This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"name", "value"}, + Required: []string{"desired"}, }, }, } } -func schema_openshift_api_machine_v1beta1_TrustedLaunch(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "TrustedLaunch defines the UEFI settings for the virtual machine.", + Description: "MachineConfigNodeStatus holds the reported information on a particular machine config node.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "uefiSettings": { + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + Description: "conditions represent the observations of a machine config node's current state.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, + }, + }, + "observedGeneration": { + SchemaProps: spec.SchemaProps{ + Description: "observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "configVersion": { + SchemaProps: spec.SchemaProps{ + Description: "configVersion describes the current and desired machine config version for this node.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.UEFISettings"), + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusMachineConfigVersion"), + }, + }, + "pinnedImageSets": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "pinnedImageSets describes the current and desired pinned image sets for this node.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusPinnedImageSet"), + }, + }, + }, }, }, }, - Required: []string{"uefiSettings"}, + Required: []string{"configVersion"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.UEFISettings"}, + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusMachineConfigVersion", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusPinnedImageSet", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } -func schema_openshift_api_machine_v1beta1_UEFISettings(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatusMachineConfigVersion(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "UEFISettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + Description: "MachineConfigNodeStatusMachineConfigVersion holds the current and desired config versions as last updated in the MCN status. When the current and desired versions do not match, the machine config pool is processing an upgrade and the machine config node will monitor the upgrade process. When the current and desired versions do match, the machine config node will ignore these events given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "secureBoot": { + "current": { SchemaProps: spec.SchemaProps{ - Description: "secureBoot specifies whether secure boot should be enabled on the virtual machine. Secure Boot verifies the digital signature of all boot components and halts the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", + Description: "current is the name of the machine config currently in use on the node. This value is updated once the machine config daemon has completed the update of the configuration for the node. This value should match the desired version unless an upgrade is in progress. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "virtualizedTrustedPlatformModule": { + "desired": { SchemaProps: spec.SchemaProps{ - Description: "virtualizedTrustedPlatformModule specifies whether vTPM should be enabled on the virtual machine. When enabled the virtualized trusted platform module measurements are used to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. This is required to be enabled if SecurityEncryptionType is defined. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", + Description: "desired is the MachineConfig the node wants to upgrade to. This value gets set in the machine config node status once the machine config has been validated against the current machine config. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", + Default: "", Type: []string{"string"}, Format: "", }, }, }, + Required: []string{"desired"}, }, }, } } -func schema_openshift_api_machine_v1beta1_UnhealthyCondition(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatusPinnedImageSet(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "UnhealthyCondition represents a Node condition type and value with a timeout specified as a duration. When the named condition has been in the given status for at least the timeout value, a node is considered unhealthy.", + Description: "MachineConfigNodeStatusPinnedImageSet holds information about the current, desired, and failed pinned image sets for the observed machine config node.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "type": { + "name": { SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Description: "name is the name of the pinned image set. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "status": { + "currentGeneration": { SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Description: "currentGeneration is the generation of the pinned image set that has most recently been successfully pulled and pinned on this node.", + Type: []string{"integer"}, + Format: "int32", }, }, - "timeout": { + "desiredGeneration": { SchemaProps: spec.SchemaProps{ - Description: "Expects an unsigned duration string of decimal numbers each with optional fraction and a unit suffix, eg \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"), + Description: "desiredGeneration is the generation of the pinned image set that is targeted to be pulled and pinned on this node.", + Type: []string{"integer"}, + Format: "int32", }, }, - }, - Required: []string{"type", "status", "timeout"}, - }, - }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Duration"}, - } -} - -func schema_openshift_api_machine_v1beta1_VMDiskSecurityProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "VMDiskSecurityProfile specifies the security profile settings for the managed disk. It can be set only for Confidential VMs.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "diskEncryptionSet": { + "lastFailedGeneration": { SchemaProps: spec.SchemaProps{ - Description: "diskEncryptionSet specifies the customer managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"), + Description: "lastFailedGeneration is the generation of the most recent pinned image set that failed to be pulled and pinned on this node.", + Type: []string{"integer"}, + Format: "int32", }, }, - "securityEncryptionType": { + "lastFailedGenerationError": { SchemaProps: spec.SchemaProps{ - Description: "securityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When set to VMGuestStateOnly, the vTPM should be enabled. When set to DiskWithVMGuestState, both SecureBoot and vTPM should be enabled. If the above conditions are not fulfilled, the VM will not be created and the respective error will be returned. It can be set only for Confidential VMs. Confidential VMs are defined by their SecurityProfile.SecurityType being set to ConfidentialVM, the SecurityEncryptionType of their OS disk being set to one of the allowed values and by enabling the respective SecurityProfile.UEFISettings of the VM (i.e. vTPM and SecureBoot), depending on the selected SecurityEncryptionType. For further details on Azure Confidential VMs, please refer to the respective documentation: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", + Description: "lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. The error is an empty string if the image pull and pin is successful.", Type: []string{"string"}, Format: "", }, }, }, + Required: []string{"name"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"}, } } -func schema_openshift_api_machine_v1beta1_VSphereDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigPoolReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "VSphereDisk describes additional disks for vSphere.", + Description: "Refers to the name of a MachineConfigPool (e.g., \"worker\", \"infra\", etc.): the MachineOSBuilder pod validates that the user has provided a valid pool", Type: []string{"object"}, Properties: map[string]spec.Schema{ "name": { SchemaProps: spec.SchemaProps{ - Description: "name is used to identify the disk definition. name is required needs to be unique so that it can be used to clearly identify purpose of the disk. It must be at most 80 characters in length and must consist only of alphanumeric characters, hyphens and underscores, and must start and end with an alphanumeric character.", + Description: "name of the MachineConfigPool object.", Default: "", Type: []string{"string"}, Format: "", }, }, - "sizeGiB": { - SchemaProps: spec.SchemaProps{ - Description: "sizeGiB is the size of the disk in GiB. The maximum supported size 16384 GiB.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "provisioningMode": { - SchemaProps: spec.SchemaProps{ - Description: "provisioningMode is an optional field that specifies the provisioning type to be used by this vSphere data disk. Allowed values are \"Thin\", \"Thick\", \"EagerlyZeroed\", and omitted. When set to Thin, the disk will be made using thin provisioning allocating the bare minimum space. When set to Thick, the full disk size will be allocated when disk is created. When set to EagerlyZeroed, the disk will be created using eager zero provisioning. An eager zeroed thick disk has all space allocated and wiped clean of any previous contents on the physical media at creation time. Such disks may take longer time during creation compared to other disk formats. When omitted, no setting will be applied to the data disk and the provisioning mode for the disk will be determined by the default storage policy configured for the datastore in vSphere.", - Type: []string{"string"}, - Format: "", - }, - }, }, - Required: []string{"name", "sizeGiB"}, + Required: []string{"name"}, }, }, } } -func schema_openshift_api_machine_v1beta1_VSphereMachineProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuild(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "VSphereMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field for an VSphere virtual machine. It is used by the vSphere machine actuator to create a single Machine. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "MachineOSBuild describes a build process managed and deployed by the MCO Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -41759,163 +40893,139 @@ func schema_openshift_api_machine_v1beta1_VSphereMachineProviderSpec(ref common. Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, - "userDataSecret": { + "spec": { SchemaProps: spec.SchemaProps{ - Description: "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", - Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + Description: "spec describes the configuration of the machine os build", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildSpec"), }, }, - "credentialsSecret": { + "status": { SchemaProps: spec.SchemaProps{ - Description: "credentialsSecret is a reference to the secret with vSphere credentials.", - Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + Description: "status describes the lst observed state of this machine os build", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildStatus"), }, }, - "template": { + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildSpec", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "MachineOSBuildList describes all of the Builds on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { SchemaProps: spec.SchemaProps{ - Description: "template is the name, inventory path, or instance UUID of the template used to clone new machines.", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "workspace": { - SchemaProps: spec.SchemaProps{ - Description: "workspace describes the workspace to use for the machine.", - Ref: ref("github.com/openshift/api/machine/v1beta1.Workspace"), - }, - }, - "network": { - SchemaProps: spec.SchemaProps{ - Description: "network is the network configuration for this machine's VM.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.NetworkSpec"), - }, - }, - "numCPUs": { - SchemaProps: spec.SchemaProps{ - Description: "numCPUs is the number of virtual processors in a virtual machine. Defaults to the analogue property value in the template from which this machine is cloned.", - Type: []string{"integer"}, - Format: "int32", - }, - }, - "numCoresPerSocket": { - SchemaProps: spec.SchemaProps{ - Description: "NumCPUs is the number of cores among which to distribute CPUs in this virtual machine. Defaults to the analogue property value in the template from which this machine is cloned.", - Type: []string{"integer"}, - Format: "int32", - }, - }, - "memoryMiB": { - SchemaProps: spec.SchemaProps{ - Description: "memoryMiB is the size of a virtual machine's memory, in MiB. Defaults to the analogue property value in the template from which this machine is cloned.", - Type: []string{"integer"}, - Format: "int64", - }, - }, - "diskGiB": { - SchemaProps: spec.SchemaProps{ - Description: "diskGiB is the size of a virtual machine's disk, in GiB. Defaults to the analogue property value in the template from which this machine is cloned. This parameter will be ignored if 'LinkedClone' CloneMode is set.", - Type: []string{"integer"}, - Format: "int32", - }, - }, - "tagIDs": { - SchemaProps: spec.SchemaProps{ - Description: "tagIDs is an optional set of tags to add to an instance. Specified tagIDs must use URN-notation instead of display names. A maximum of 10 tag IDs may be specified.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "snapshot": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "snapshot is the name of the snapshot from which the VM was cloned", - Default: "", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - "cloneMode": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "cloneMode specifies the type of clone operation. The LinkedClone mode is only support for templates that have at least one snapshot. If the template has no snapshots, then CloneMode defaults to FullClone. When LinkedClone mode is enabled the DiskGiB field is ignored as it is not possible to expand disks of linked clones. Defaults to FullClone. When using LinkedClone, if no snapshots exist for the source template, falls back to FullClone.", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), }, }, - "dataDisks": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - }, - "x-kubernetes-list-type": "map", - }, - }, + "items": { SchemaProps: spec.SchemaProps{ - Description: "dataDisks is a list of non OS disks to be created and attached to the VM. The max number of disk allowed to be attached is currently 29. The max number of disks for any controller is 30, but VM template will always have OS disk so that will leave 29 disks on any controller type.", - Type: []string{"array"}, + Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.VSphereDisk"), + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuild"), }, }, }, }, }, }, - Required: []string{"template", "network"}, + Required: []string{"metadata", "items"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.NetworkSpec", "github.com/openshift/api/machine/v1beta1.VSphereDisk", "github.com/openshift/api/machine/v1beta1.Workspace", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuild", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_machine_v1beta1_VSphereMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "VSphereMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains VSphere-specific status information. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "configGeneration": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", + Description: "configGeneration tracks which version of MachineOSConfig this build is based off of", + Default: 0, + Type: []string{"integer"}, + Format: "int64", }, }, - "apiVersion": { + "desiredConfig": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", + Description: "desiredConfig is the desired config we want to build an image for.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.RenderedMachineConfigReference"), }, }, - "instanceId": { + "machineOSConfig": { SchemaProps: spec.SchemaProps{ - Description: "instanceId is the ID of the instance in VSphere", - Type: []string{"string"}, - Format: "", + Description: "machineOSConfig is the config object which the build is based off of", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigReference"), }, }, - "instanceState": { + "version": { SchemaProps: spec.SchemaProps{ - Description: "instanceState is the provisioning state of the VSphere Instance.", + Description: "version tracks the newest MachineOSBuild for each MachineOSConfig", + Default: 0, + Type: []string{"integer"}, + Format: "int64", + }, + }, + "renderedImagePushspec": { + SchemaProps: spec.SchemaProps{ + Description: "renderedImagePushspec is set from the MachineOSConfig The format of the image pullspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", + Default: "", Type: []string{"string"}, Format: "", }, }, + }, + Required: []string{"configGeneration", "desiredConfig", "machineOSConfig", "version", "renderedImagePushspec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigReference", "github.com/openshift/api/machineconfiguration/v1alpha1.RenderedMachineConfigReference"}, + } +} + +func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "MachineOSBuildStatus describes the state of a build and other helpful information.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ "conditions": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ @@ -41926,7 +41036,7 @@ func schema_openshift_api_machine_v1beta1_VSphereMachineProviderStatus(ref commo }, }, SchemaProps: spec.SchemaProps{ - Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", + Description: "conditions are state related conditions for the build. Valid types are: Prepared, Building, Failed, Interrupted, and Succeeded once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -41938,103 +41048,101 @@ func schema_openshift_api_machine_v1beta1_VSphereMachineProviderStatus(ref commo }, }, }, - "taskRef": { - SchemaProps: spec.SchemaProps{ - Description: "taskRef is a managed object reference to a Task related to the machine. This value is set automatically at runtime and should not be set or modified by users.", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, - } -} - -func schema_openshift_api_machine_v1beta1_Workspace(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "WorkspaceConfig defines a workspace configuration for the vSphere cloud provider.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "server": { + "builderReference": { SchemaProps: spec.SchemaProps{ - Description: "server is the IP address or FQDN of the vSphere endpoint.", - Type: []string{"string"}, - Format: "", + Description: "ImageBuilderType describes the image builder set in the MachineOSConfig", + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuilderReference"), }, }, - "datacenter": { - SchemaProps: spec.SchemaProps{ - Description: "datacenter is the datacenter in which VMs are created/located.", - Type: []string{"string"}, - Format: "", - }, - }, - "folder": { + "relatedObjects": { SchemaProps: spec.SchemaProps{ - Description: "folder is the folder in which VMs are created/located.", - Type: []string{"string"}, - Format: "", + Description: "relatedObjects is a list of objects that are related to the build process.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.ObjectReference"), + }, + }, + }, }, }, - "datastore": { + "buildStart": { SchemaProps: spec.SchemaProps{ - Description: "datastore is the datastore in which VMs are created/located.", - Type: []string{"string"}, - Format: "", + Description: "buildStart describes when the build started.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), }, }, - "resourcePool": { + "buildEnd": { SchemaProps: spec.SchemaProps{ - Description: "resourcePool is the resource pool in which VMs are created/located.", - Type: []string{"string"}, - Format: "", + Description: "buildEnd describes when the build ended.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), }, }, - "vmGroup": { + "finalImagePullspec": { SchemaProps: spec.SchemaProps{ - Description: "vmGroup is the cluster vm group in which virtual machines will be added for vm host group based zonal.", + Description: "finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must be in sha format.", Type: []string{"string"}, Format: "", }, }, }, + Required: []string{"buildStart"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuilderReference", "github.com/openshift/api/machineconfiguration/v1alpha1.ObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MCOObjectReference(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuilderReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MCOObjectReference holds information about an object the MCO either owns or modifies in some way", + Description: "MachineOSBuilderReference describes which ImageBuilder backend to use for this build/", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "imageBuilderType": { SchemaProps: spec.SchemaProps{ - Description: "name is the name of the object being referenced. For example, this can represent a machine config pool or node name. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", + Description: "imageBuilderType describes the image builder set in the MachineOSConfig", Default: "", Type: []string{"string"}, Format: "", }, }, + "buildPod": { + SchemaProps: spec.SchemaProps{ + Description: "relatedObjects is a list of objects that are related to the build process.", + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.ObjectReference"), + }, + }, + }, + Required: []string{"imageBuilderType"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "imageBuilderType", + "fields-to-discriminateBy": map[string]interface{}{ + "buildPod": "PodImageBuilder", + }, + }, + }, }, - Required: []string{"name"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machineconfiguration/v1alpha1.ObjectReference"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNode(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNode describes the health of the Machines on the system Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "MachineOSConfig describes the configuration for a build process managed by the MCO Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -42053,23 +41161,22 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNode(ref co }, "metadata": { SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object metadata.", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, "spec": { SchemaProps: spec.SchemaProps{ - Description: "spec describes the configuration of the machine config node.", + Description: "spec describes the configuration of the machineosconfig", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpec"), + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigSpec"), }, }, "status": { SchemaProps: spec.SchemaProps{ - Description: "status describes the last observed state of this machine config node.", + Description: "status describes the status of the machineosconfig", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatus"), + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigStatus"), }, }, }, @@ -42077,15 +41184,15 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNode(ref co }, }, Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpec", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigSpec", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNodeList describes all of the MachinesStates on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "MachineOSConfigList describes all configurations for image builds on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -42104,97 +41211,96 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeList(re }, "metadata": { SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list metadata.", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), }, }, "items": { SchemaProps: spec.SchemaProps{ - Description: "items contains a collection of MachineConfigNode resources.", - Type: []string{"array"}, + Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNode"), + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfig"), }, }, }, }, }, }, + Required: []string{"items"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNode", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNodeSpec describes the MachineConfigNode we are managing.", + Description: "MachineOSConfigReference refers to the MachineOSConfig this build is based off of", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "node": { - SchemaProps: spec.SchemaProps{ - Description: "node contains a reference to the node for this machine config node.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference"), - }, - }, - "pool": { - SchemaProps: spec.SchemaProps{ - Description: "pool contains a reference to the machine config pool that this machine config node's referenced node belongs to.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference"), - }, - }, - "configVersion": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "configVersion holds the desired config version for the node targeted by this machine config node resource. The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates the new machine config against the current machine config.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpecMachineConfigVersion"), + Description: "name of the MachineOSConfig", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"node", "pool", "configVersion"}, + Required: []string{"name"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpecMachineConfigVersion"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeSpecMachineConfigVersion(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNodeSpecMachineConfigVersion holds the desired config version for the current observed machine config node. When Current is not equal to Desired, the MachineConfigOperator is in an upgrade phase and the machine config node will take account of upgrade related events. Otherwise, they will be ignored given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", + Description: "MachineOSConfigSpec describes user-configurable options as well as information about a build process.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "desired": { + "machineConfigPool": { SchemaProps: spec.SchemaProps{ - Description: "desired is the name of the machine config that the the node should be upgraded to. This value is set when the machine config pool generates a new version of its rendered configuration. When this value is changed, the machine config daemon starts the node upgrade process. This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "machineConfigPool is the pool which the build is for", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigPoolReference"), + }, + }, + "buildInputs": { + SchemaProps: spec.SchemaProps{ + Description: "buildInputs is where user input options for the build live", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.BuildInputs"), + }, + }, + "buildOutputs": { + SchemaProps: spec.SchemaProps{ + Description: "buildOutputs is where user input options for the build live", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.BuildOutputs"), }, }, }, - Required: []string{"desired"}, + Required: []string{"machineConfigPool", "buildInputs"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machineconfiguration/v1alpha1.BuildInputs", "github.com/openshift/api/machineconfiguration/v1alpha1.BuildOutputs", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigPoolReference"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNodeStatus holds the reported information on a particular machine config node.", + Description: "MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig", Type: []string{"object"}, Properties: map[string]spec.Schema{ "conditions": { @@ -42207,7 +41313,7 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatus( }, }, SchemaProps: spec.SchemaProps{ - Description: "conditions represent the observations of a machine config node's current state.", + Description: "conditions are state related conditions for the config.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -42221,124 +41327,118 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatus( }, "observedGeneration": { SchemaProps: spec.SchemaProps{ - Description: "observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec.", + Description: "observedGeneration represents the generation observed by the controller. this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with.", Type: []string{"integer"}, Format: "int64", }, }, - "configVersion": { - SchemaProps: spec.SchemaProps{ - Description: "configVersion describes the current and desired machine config version for this node.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusMachineConfigVersion"), - }, - }, - "pinnedImageSets": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - }, - "x-kubernetes-list-type": "map", - }, - }, + "currentImagePullspec": { SchemaProps: spec.SchemaProps{ - Description: "pinnedImageSets describes the current and desired pinned image sets for this node.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusPinnedImageSet"), - }, - }, - }, + Description: "currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256.", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"configVersion"}, + Required: []string{"observedGeneration"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusMachineConfigVersion", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusPinnedImageSet", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatusMachineConfigVersion(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSContainerfile(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNodeStatusMachineConfigVersion holds the current and desired config versions as last updated in the MCN status. When the current and desired versions do not match, the machine config pool is processing an upgrade and the machine config node will monitor the upgrade process. When the current and desired versions do match, the machine config node will ignore these events given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", + Description: "MachineOSContainerfile contains all custom content the user wants built into the image", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "current": { + "containerfileArch": { SchemaProps: spec.SchemaProps{ - Description: "current is the name of the machine config currently in use on the node. This value is updated once the machine config daemon has completed the update of the configuration for the node. This value should match the desired version unless an upgrade is in progress. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", + Description: "containerfileArch describes the architecture this containerfile is to be built for this arch is optional. If the user does not specify an architecture, it is assumed that the content can be applied to all architectures, or in a single arch cluster: the only architecture.", Default: "", Type: []string{"string"}, Format: "", }, }, - "desired": { + "content": { SchemaProps: spec.SchemaProps{ - Description: "desired is the MachineConfig the node wants to upgrade to. This value gets set in the machine config node status once the machine config has been validated against the current machine config. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", + Description: "content is the custom content to be built", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"desired"}, + Required: []string{"content"}, }, }, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatusPinnedImageSet(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSImageBuilder(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNodeStatusPinnedImageSet holds information about the current, desired, and failed pinned image sets for the observed machine config node.", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "imageBuilderType": { SchemaProps: spec.SchemaProps{ - Description: "name is the name of the pinned image set. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", + Description: "imageBuilderType specifies the backend to be used to build the image. Valid options are: PodImageBuilder", Default: "", Type: []string{"string"}, Format: "", }, }, - "currentGeneration": { + }, + Required: []string{"imageBuilderType"}, + }, + }, + } +} + +func schema_openshift_api_machineconfiguration_v1alpha1_ObjectReference(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ObjectReference contains enough information to let you inspect or modify the referred object.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "group": { SchemaProps: spec.SchemaProps{ - Description: "currentGeneration is the generation of the pinned image set that has most recently been successfully pulled and pinned on this node.", - Type: []string{"integer"}, - Format: "int32", + Description: "group of the referent.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "desiredGeneration": { + "resource": { SchemaProps: spec.SchemaProps{ - Description: "desiredGeneration is the generation of the pinned image set that is targeted to be pulled and pinned on this node.", - Type: []string{"integer"}, - Format: "int32", + Description: "resource of the referent.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "lastFailedGeneration": { + "namespace": { SchemaProps: spec.SchemaProps{ - Description: "lastFailedGeneration is the generation of the most recent pinned image set that failed to be pulled and pinned on this node.", - Type: []string{"integer"}, - Format: "int32", + Description: "namespace of the referent.", + Type: []string{"string"}, + Format: "", }, }, - "lastFailedGenerationError": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. The error is an empty string if the image pull and pin is successful.", + Description: "name of the referent.", + Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"name"}, + Required: []string{"group", "resource", "name"}, }, }, } @@ -42540,6 +41640,28 @@ func schema_openshift_api_machineconfiguration_v1alpha1_PinnedImageSetStatus(ref } } +func schema_openshift_api_machineconfiguration_v1alpha1_RenderedMachineConfigReference(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Refers to the name of a rendered MachineConfig (e.g., \"rendered-worker-ec40d2965ff81bce7cd7a7e82a680739\", etc.): the build targets this MachineConfig, this is often used to tell us whether we need an update.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is the name of the rendered MachineConfig object.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"name"}, + }, + }, + } +} + func schema_openshift_api_monitoring_v1_AlertRelabelConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -45927,6 +45049,12 @@ func schema_openshift_api_openshiftcontrolplane_v1_OpenShiftControllerManagerCon Format: "", }, }, + "kubeClientConfig": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.KubeClientConfig"), + }, + }, "servingInfo": { SchemaProps: spec.SchemaProps{ Description: "servingInfo describes how to start serving", @@ -46031,11 +45159,11 @@ func schema_openshift_api_openshiftcontrolplane_v1_OpenShiftControllerManagerCon }, }, }, - Required: []string{"servingInfo", "leaderElection", "controllers", "resourceQuota", "serviceServingCert", "deployer", "build", "serviceAccount", "dockerPullSecret", "network", "ingress", "imageImport", "securityAllocator", "featureGates"}, + Required: []string{"kubeClientConfig", "servingInfo", "leaderElection", "controllers", "resourceQuota", "serviceServingCert", "deployer", "build", "serviceAccount", "dockerPullSecret", "network", "ingress", "imageImport", "securityAllocator", "featureGates"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.HTTPServingInfo", "github.com/openshift/api/config/v1.LeaderElection", "github.com/openshift/api/openshiftcontrolplane/v1.BuildControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.DeployerControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.DockerPullSecretControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.ImageImportControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.IngressControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.NetworkControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.ResourceQuotaControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.SecurityAllocator", "github.com/openshift/api/openshiftcontrolplane/v1.ServiceAccountControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.ServiceServingCert"}, + "github.com/openshift/api/config/v1.HTTPServingInfo", "github.com/openshift/api/config/v1.KubeClientConfig", "github.com/openshift/api/config/v1.LeaderElection", "github.com/openshift/api/openshiftcontrolplane/v1.BuildControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.DeployerControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.DockerPullSecretControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.ImageImportControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.IngressControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.NetworkControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.ResourceQuotaControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.SecurityAllocator", "github.com/openshift/api/openshiftcontrolplane/v1.ServiceAccountControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.ServiceServingCert"}, } } @@ -47000,6 +46128,7 @@ func schema_openshift_api_operator_v1_AuthenticationStatus(ref common.ReferenceC }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -47371,6 +46500,7 @@ func schema_openshift_api_operator_v1_CSISnapshotControllerStatus(ref common.Ref }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -47732,6 +46862,7 @@ func schema_openshift_api_operator_v1_CloudCredentialStatus(ref common.Reference }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -47988,6 +47119,7 @@ func schema_openshift_api_operator_v1_ClusterCSIDriverStatus(ref common.Referenc }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -48286,6 +47418,7 @@ func schema_openshift_api_operator_v1_ConfigStatus(ref common.ReferenceCallback) }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -48758,6 +47891,7 @@ func schema_openshift_api_operator_v1_ConsoleStatus(ref common.ReferenceCallback }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -49796,6 +48930,7 @@ func schema_openshift_api_operator_v1_EtcdStatus(ref common.ReferenceCallback) c }, }, }, + Required: []string{"readyReplicas", "controlPlaneHardwareSpeed"}, }, }, Dependencies: []string{ @@ -50571,7 +49706,7 @@ func schema_openshift_api_operator_v1_IPv4GatewayConfig(ref common.ReferenceCall Properties: map[string]spec.Schema{ "internalMasqueradeSubnet": { SchemaProps: spec.SchemaProps{ - Description: "internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /29). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 169.254.0.0/17 The value must be in proper IPV4 CIDR format", + Description: "internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /29). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 169.254.169.0/29 The value must be in proper IPV4 CIDR format", Type: []string{"string"}, Format: "", }, @@ -50590,14 +49725,14 @@ func schema_openshift_api_operator_v1_IPv4OVNKubernetesConfig(ref common.Referen Properties: map[string]spec.Schema{ "internalTransitSwitchSubnet": { SchemaProps: spec.SchemaProps{ - Description: "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 100.88.0.0/16 The subnet must be large enough to accommodate one IP per node in your cluster The value must be in proper IPV4 CIDR format", + Description: "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. The value cannot be changed after installation. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 100.88.0.0/16 The subnet must be large enough to accomadate one IP per node in your cluster The value must be in proper IPV4 CIDR format", Type: []string{"string"}, Format: "", }, }, "internalJoinSubnet": { SchemaProps: spec.SchemaProps{ - Description: "internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The current default value is 100.64.0.0/16 The subnet must be large enough to accommodate one IP per node in your cluster The value must be in proper IPV4 CIDR format", + Description: "internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. The current default value is 100.64.0.0/16 The subnet must be large enough to accomadate one IP per node in your cluster The value must be in proper IPV4 CIDR format", Type: []string{"string"}, Format: "", }, @@ -50617,7 +49752,7 @@ func schema_openshift_api_operator_v1_IPv6GatewayConfig(ref common.ReferenceCall Properties: map[string]spec.Schema{ "internalMasqueradeSubnet": { SchemaProps: spec.SchemaProps{ - Description: "internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /125). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is fd69::/112 Note that IPV6 dual addresses are not permitted", + Description: "internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /125). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is fd69::/125 Note that IPV6 dual addresses are not permitted", Type: []string{"string"}, Format: "", }, @@ -50636,14 +49771,14 @@ func schema_openshift_api_operator_v1_IPv6OVNKubernetesConfig(ref common.Referen Properties: map[string]spec.Schema{ "internalTransitSwitchSubnet": { SchemaProps: spec.SchemaProps{ - Description: "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The subnet must be large enough to accommodate one IP per node in your cluster The current default subnet is fd97::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", + Description: "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. The value cannot be changed after installation. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The subnet must be large enough to accomadate one IP per node in your cluster The current default subnet is fd97::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", Type: []string{"string"}, Format: "", }, }, "internalJoinSubnet": { SchemaProps: spec.SchemaProps{ - Description: "internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The subnet must be large enough to accommodate one IP per node in your cluster The current default value is fd98::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", + Description: "internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. The subnet must be large enough to accomadate one IP per node in your cluster The current default value is fd98::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", Type: []string{"string"}, Format: "", }, @@ -50743,7 +49878,6 @@ func schema_openshift_api_operator_v1_IngressControllerCaptureHTTPCookie(ref com "matchType": { SchemaProps: spec.SchemaProps{ Description: "matchType specifies the type of match to be performed on the cookie name. Allowed values are \"Exact\" for an exact string match and \"Prefix\" for a string prefix match. If \"Exact\" is specified, a name must be specified in the name field. If \"Prefix\" is provided, a prefix must be specified in the namePrefix field. For example, specifying matchType \"Prefix\" and namePrefix \"foo\" will capture a cookie named \"foo\" or \"foobar\" but not one named \"bar\". The first matching cookie is captured.", - Default: "", Type: []string{"string"}, Format: "", }, @@ -50802,7 +49936,6 @@ func schema_openshift_api_operator_v1_IngressControllerCaptureHTTPCookieUnion(re "matchType": { SchemaProps: spec.SchemaProps{ Description: "matchType specifies the type of match to be performed on the cookie name. Allowed values are \"Exact\" for an exact string match and \"Prefix\" for a string prefix match. If \"Exact\" is specified, a name must be specified in the name field. If \"Prefix\" is provided, a prefix must be specified in the namePrefix field. For example, specifying matchType \"Prefix\" and namePrefix \"foo\" will capture a cookie named \"foo\" or \"foobar\" but not one named \"bar\". The first matching cookie is captured.", - Default: "", Type: []string{"string"}, Format: "", }, @@ -51451,6 +50584,7 @@ func schema_openshift_api_operator_v1_IngressControllerStatus(ref common.Referen }, }, }, + Required: []string{"availableReplicas", "selector", "domain"}, }, }, Dependencies: []string{ @@ -51802,6 +50936,7 @@ func schema_openshift_api_operator_v1_InsightsOperatorStatus(ref common.Referenc }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -51849,39 +50984,6 @@ func schema_openshift_api_operator_v1_InsightsReport(ref common.ReferenceCallbac } } -func schema_openshift_api_operator_v1_IrreconcilableValidationOverrides(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "IrreconcilableValidationOverrides holds the irreconcilable validations overrides to be applied on each rendered MachineConfig generation.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "storage": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "set", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "storage can be used to allow making irreconcilable changes to the selected sections under the `spec.config.storage` field of MachineConfig CRs It must have at least one item, may not exceed 3 items and must not contain duplicates. Allowed element values are \"Disks\", \"FileSystems\", \"Raid\" and omitted. When contains \"Disks\" changes to the `spec.config.storage.disks` section of MachineConfig CRs are allowed. When contains \"FileSystems\" changes to the `spec.config.storage.filesystems` section of MachineConfig CRs are allowed. When contains \"Raid\" changes to the `spec.config.storage.raid` section of MachineConfig CRs are allowed. When omitted changes to the `spec.config.storage` section are forbidden.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, - }, - }, - } -} - func schema_openshift_api_operator_v1_KubeAPIServer(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -52181,6 +51283,7 @@ func schema_openshift_api_operator_v1_KubeAPIServerStatus(ref common.ReferenceCa }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -52481,6 +51584,7 @@ func schema_openshift_api_operator_v1_KubeControllerManagerStatus(ref common.Ref }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -52773,6 +51877,7 @@ func schema_openshift_api_operator_v1_KubeSchedulerStatus(ref common.ReferenceCa }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -53012,6 +52117,7 @@ func schema_openshift_api_operator_v1_KubeStorageVersionMigratorStatus(ref commo }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -53406,19 +52512,12 @@ func schema_openshift_api_operator_v1_MachineConfigurationSpec(ref common.Refere Ref: ref("github.com/openshift/api/operator/v1.NodeDisruptionPolicyConfig"), }, }, - "irreconcilableValidationOverrides": { - SchemaProps: spec.SchemaProps{ - Description: "irreconcilableValidationOverrides is an optional field that can used to make changes to a MachineConfig that cannot be applied to existing nodes. When specified, the fields configured with validation overrides will no longer reject changes to those respective fields due to them not being able to be applied to existing nodes. Only newly provisioned nodes will have these configurations applied. Existing nodes will report observed configuration differences in their MachineConfigNode status.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/operator/v1.IrreconcilableValidationOverrides"), - }, - }, }, Required: []string{"managementState", "forceRedeploymentReason"}, }, }, Dependencies: []string{ - "github.com/openshift/api/operator/v1.IrreconcilableValidationOverrides", "github.com/openshift/api/operator/v1.ManagedBootImages", "github.com/openshift/api/operator/v1.NodeDisruptionPolicyConfig", "k8s.io/apimachinery/pkg/runtime.RawExtension"}, + "github.com/openshift/api/operator/v1.ManagedBootImages", "github.com/openshift/api/operator/v1.NodeDisruptionPolicyConfig", "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } @@ -53777,6 +52876,7 @@ func schema_openshift_api_operator_v1_MyOperatorResourceStatus(ref common.Refere }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -54210,6 +53310,7 @@ func schema_openshift_api_operator_v1_NetworkStatus(ref common.ReferenceCallback }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -55113,6 +54214,7 @@ func schema_openshift_api_operator_v1_OLMStatus(ref common.ReferenceCallback) co }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -55168,14 +54270,14 @@ func schema_openshift_api_operator_v1_OVNKubernetesConfig(ref common.ReferenceCa }, "v4InternalSubnet": { SchemaProps: spec.SchemaProps{ - Description: "v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. Default is 100.64.0.0/16", + Description: "v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. Default is 100.64.0.0/16", Type: []string{"string"}, Format: "", }, }, "v6InternalSubnet": { SchemaProps: spec.SchemaProps{ - Description: "v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. Default is fd98::/64", + Description: "v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. Default is fd98::/64", Type: []string{"string"}, Format: "", }, @@ -55448,6 +54550,7 @@ func schema_openshift_api_operator_v1_OpenShiftAPIServerStatus(ref common.Refere }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -55687,6 +54790,7 @@ func schema_openshift_api_operator_v1_OpenShiftControllerManagerStatus(ref commo }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -55947,6 +55051,7 @@ func schema_openshift_api_operator_v1_OperatorStatus(ref common.ReferenceCallbac }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -56792,6 +55897,7 @@ func schema_openshift_api_operator_v1_ServiceCAStatus(ref common.ReferenceCallba }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -57031,6 +56137,7 @@ func schema_openshift_api_operator_v1_ServiceCatalogAPIServerStatus(ref common.R }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -57270,6 +56377,7 @@ func schema_openshift_api_operator_v1_ServiceCatalogControllerManagerStatus(ref }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -57680,6 +56788,7 @@ func schema_openshift_api_operator_v1_StaticPodOperatorStatus(ref common.Referen }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -57952,6 +57061,7 @@ func schema_openshift_api_operator_v1_StorageStatus(ref common.ReferenceCallback }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -59115,6 +58225,7 @@ func schema_openshift_api_operator_v1alpha1_OLMStatus(ref common.ReferenceCallba }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -61540,6 +60651,216 @@ func schema_openshift_api_osin_v1_TokenConfig(ref common.ReferenceCallback) comm } } +func schema_openshift_api_platform_v1alpha1_ActiveBundleDeployment(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ActiveBundleDeployment references a BundleDeployment resource.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is the metadata.name of the referenced BundleDeployment object.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"name"}, + }, + }, + } +} + +func schema_openshift_api_platform_v1alpha1_Package(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Package contains fields to configure which OLM package this PlatformOperator will install", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name contains the desired OLM-based Operator package name that is defined in an existing CatalogSource resource in the cluster.\n\nThis configured package will be managed with the cluster's lifecycle. In the current implementation, it will be retrieving this name from a list of supported operators out of the catalogs included with OpenShift.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"name"}, + }, + }, + } +} + +func schema_openshift_api_platform_v1alpha1_PlatformOperator(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PlatformOperator is the Schema for the PlatformOperators API.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/platform/v1alpha1.PlatformOperatorSpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/platform/v1alpha1.PlatformOperatorStatus"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/platform/v1alpha1.PlatformOperatorSpec", "github.com/openshift/api/platform/v1alpha1.PlatformOperatorStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_platform_v1alpha1_PlatformOperatorList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PlatformOperatorList contains a list of PlatformOperators\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/platform/v1alpha1.PlatformOperator"), + }, + }, + }, + }, + }, + }, + Required: []string{"items"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/platform/v1alpha1.PlatformOperator", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_openshift_api_platform_v1alpha1_PlatformOperatorSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PlatformOperatorSpec defines the desired state of PlatformOperator.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "package": { + SchemaProps: spec.SchemaProps{ + Description: "package contains the desired package and its configuration for this PlatformOperator.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/platform/v1alpha1.Package"), + }, + }, + }, + Required: []string{"package"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/platform/v1alpha1.Package"}, + } +} + +func schema_openshift_api_platform_v1alpha1_PlatformOperatorStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PlatformOperatorStatus defines the observed state of PlatformOperator", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditions represent the latest available observations of a platform operator's current state.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, + }, + }, + "activeBundleDeployment": { + SchemaProps: spec.SchemaProps{ + Description: "activeBundleDeployment is the reference to the BundleDeployment resource that's being managed by this PO resource. If this field is not populated in the status then it means the PlatformOperator has either not been installed yet or is failing to install.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/platform/v1alpha1.ActiveBundleDeployment"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/platform/v1alpha1.ActiveBundleDeployment", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + } +} + func schema_openshift_api_project_v1_Project(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -63388,6 +62709,7 @@ func schema_openshift_api_security_v1_PodSecurityPolicyReviewStatus(ref common.R }, }, }, + Required: []string{"allowedServiceAccounts"}, }, }, Dependencies: []string{ @@ -64592,6 +63914,7 @@ func schema_openshift_api_servicecertsigner_v1alpha1_ServiceCertSignerOperatorCo }, }, }, + Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -68942,14 +68265,6 @@ func schema_k8sio_api_core_v1_ContainerStatus(ref common.ReferenceCallback) comm }, }, }, - "stopSignal": { - SchemaProps: spec.SchemaProps{ - Description: "StopSignal reports the effective stop signal for this container\n\nPossible enum values:\n - `\"SIGABRT\"`\n - `\"SIGALRM\"`\n - `\"SIGBUS\"`\n - `\"SIGCHLD\"`\n - `\"SIGCLD\"`\n - `\"SIGCONT\"`\n - `\"SIGFPE\"`\n - `\"SIGHUP\"`\n - `\"SIGILL\"`\n - `\"SIGINT\"`\n - `\"SIGIO\"`\n - `\"SIGIOT\"`\n - `\"SIGKILL\"`\n - `\"SIGPIPE\"`\n - `\"SIGPOLL\"`\n - `\"SIGPROF\"`\n - `\"SIGPWR\"`\n - `\"SIGQUIT\"`\n - `\"SIGRTMAX\"`\n - `\"SIGRTMAX-1\"`\n - `\"SIGRTMAX-10\"`\n - `\"SIGRTMAX-11\"`\n - `\"SIGRTMAX-12\"`\n - `\"SIGRTMAX-13\"`\n - `\"SIGRTMAX-14\"`\n - `\"SIGRTMAX-2\"`\n - `\"SIGRTMAX-3\"`\n - `\"SIGRTMAX-4\"`\n - `\"SIGRTMAX-5\"`\n - `\"SIGRTMAX-6\"`\n - `\"SIGRTMAX-7\"`\n - `\"SIGRTMAX-8\"`\n - `\"SIGRTMAX-9\"`\n - `\"SIGRTMIN\"`\n - `\"SIGRTMIN+1\"`\n - `\"SIGRTMIN+10\"`\n - `\"SIGRTMIN+11\"`\n - `\"SIGRTMIN+12\"`\n - `\"SIGRTMIN+13\"`\n - `\"SIGRTMIN+14\"`\n - `\"SIGRTMIN+15\"`\n - `\"SIGRTMIN+2\"`\n - `\"SIGRTMIN+3\"`\n - `\"SIGRTMIN+4\"`\n - `\"SIGRTMIN+5\"`\n - `\"SIGRTMIN+6\"`\n - `\"SIGRTMIN+7\"`\n - `\"SIGRTMIN+8\"`\n - `\"SIGRTMIN+9\"`\n - `\"SIGSEGV\"`\n - `\"SIGSTKFLT\"`\n - `\"SIGSTOP\"`\n - `\"SIGSYS\"`\n - `\"SIGTERM\"`\n - `\"SIGTRAP\"`\n - `\"SIGTSTP\"`\n - `\"SIGTTIN\"`\n - `\"SIGTTOU\"`\n - `\"SIGURG\"`\n - `\"SIGUSR1\"`\n - `\"SIGUSR2\"`\n - `\"SIGVTALRM\"`\n - `\"SIGWINCH\"`\n - `\"SIGXCPU\"`\n - `\"SIGXFSZ\"`", - Type: []string{"string"}, - Format: "", - Enum: []interface{}{"SIGABRT", "SIGALRM", "SIGBUS", "SIGCHLD", "SIGCLD", "SIGCONT", "SIGFPE", "SIGHUP", "SIGILL", "SIGINT", "SIGIO", "SIGIOT", "SIGKILL", "SIGPIPE", "SIGPOLL", "SIGPROF", "SIGPWR", "SIGQUIT", "SIGRTMAX", "SIGRTMAX-1", "SIGRTMAX-10", "SIGRTMAX-11", "SIGRTMAX-12", "SIGRTMAX-13", "SIGRTMAX-14", "SIGRTMAX-2", "SIGRTMAX-3", "SIGRTMAX-4", "SIGRTMAX-5", "SIGRTMAX-6", "SIGRTMAX-7", "SIGRTMAX-8", "SIGRTMAX-9", "SIGRTMIN", "SIGRTMIN+1", "SIGRTMIN+10", "SIGRTMIN+11", "SIGRTMIN+12", "SIGRTMIN+13", "SIGRTMIN+14", "SIGRTMIN+15", "SIGRTMIN+2", "SIGRTMIN+3", "SIGRTMIN+4", "SIGRTMIN+5", "SIGRTMIN+6", "SIGRTMIN+7", "SIGRTMIN+8", "SIGRTMIN+9", "SIGSEGV", "SIGSTKFLT", "SIGSTOP", "SIGSYS", "SIGTERM", "SIGTRAP", "SIGTSTP", "SIGTTIN", "SIGTTOU", "SIGURG", "SIGUSR1", "SIGUSR2", "SIGVTALRM", "SIGWINCH", "SIGXCPU", "SIGXFSZ"}, - }, - }, }, Required: []string{"name", "ready", "restartCount", "image", "imageID"}, }, @@ -69152,7 +68467,7 @@ func schema_k8sio_api_core_v1_EndpointAddress(ref common.ReferenceCallback) comm return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EndpointAddress is a tuple that describes single IP address. Deprecated: This API is deprecated in v1.33+.", + Description: "EndpointAddress is a tuple that describes single IP address.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "ip": { @@ -69201,7 +68516,7 @@ func schema_k8sio_api_core_v1_EndpointPort(ref common.ReferenceCallback) common. return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EndpointPort is a tuple that describes a single port. Deprecated: This API is deprecated in v1.33+.", + Description: "EndpointPort is a tuple that describes a single port.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "name": { @@ -69250,7 +68565,7 @@ func schema_k8sio_api_core_v1_EndpointSubset(ref common.ReferenceCallback) commo return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:\n\n\t{\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t}\n\nThe resulting set of endpoints can be viewed as:\n\n\ta: [ 10.10.1.1:8675, 10.10.2.2:8675 ],\n\tb: [ 10.10.1.1:309, 10.10.2.2:309 ]\n\nDeprecated: This API is deprecated in v1.33+.", + Description: "EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:\n\n\t{\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t}\n\nThe resulting set of endpoints can be viewed as:\n\n\ta: [ 10.10.1.1:8675, 10.10.2.2:8675 ],\n\tb: [ 10.10.1.1:309, 10.10.2.2:309 ]", Type: []string{"object"}, Properties: map[string]spec.Schema{ "addresses": { @@ -69322,7 +68637,7 @@ func schema_k8sio_api_core_v1_Endpoints(ref common.ReferenceCallback) common.Ope return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Endpoints is a collection of endpoints that implement the actual service. Example:\n\n\t Name: \"mysvc\",\n\t Subsets: [\n\t {\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t },\n\t {\n\t Addresses: [{\"ip\": \"10.10.3.3\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 93}, {\"name\": \"b\", \"port\": 76}]\n\t },\n\t]\n\nEndpoints is a legacy API and does not contain information about all Service features. Use discoveryv1.EndpointSlice for complete information about Service endpoints.\n\nDeprecated: This API is deprecated in v1.33+. Use discoveryv1.EndpointSlice.", + Description: "Endpoints is a collection of endpoints that implement the actual service. Example:\n\n\t Name: \"mysvc\",\n\t Subsets: [\n\t {\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t },\n\t {\n\t Addresses: [{\"ip\": \"10.10.3.3\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 93}, {\"name\": \"b\", \"port\": 76}]\n\t },\n\t]", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -69377,7 +68692,7 @@ func schema_k8sio_api_core_v1_EndpointsList(ref common.ReferenceCallback) common return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EndpointsList is a list of endpoints. Deprecated: This API is deprecated in v1.33+.", + Description: "EndpointsList is a list of endpoints.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -69428,12 +68743,12 @@ func schema_k8sio_api_core_v1_EnvFromSource(ref common.ReferenceCallback) common return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EnvFromSource represents the source of a set of ConfigMaps or Secrets", + Description: "EnvFromSource represents the source of a set of ConfigMaps", Type: []string{"object"}, Properties: map[string]spec.Schema{ "prefix": { SchemaProps: spec.SchemaProps{ - Description: "Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.", + Description: "An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.", Type: []string{"string"}, Format: "", }, @@ -71335,14 +70650,6 @@ func schema_k8sio_api_core_v1_Lifecycle(ref common.ReferenceCallback) common.Ope Ref: ref("k8s.io/api/core/v1.LifecycleHandler"), }, }, - "stopSignal": { - SchemaProps: spec.SchemaProps{ - Description: "StopSignal defines which signal will be sent to a container when it is being stopped. If not specified, the default is defined by the container runtime in use. StopSignal can only be set for Pods with a non-empty .spec.os.name\n\nPossible enum values:\n - `\"SIGABRT\"`\n - `\"SIGALRM\"`\n - `\"SIGBUS\"`\n - `\"SIGCHLD\"`\n - `\"SIGCLD\"`\n - `\"SIGCONT\"`\n - `\"SIGFPE\"`\n - `\"SIGHUP\"`\n - `\"SIGILL\"`\n - `\"SIGINT\"`\n - `\"SIGIO\"`\n - `\"SIGIOT\"`\n - `\"SIGKILL\"`\n - `\"SIGPIPE\"`\n - `\"SIGPOLL\"`\n - `\"SIGPROF\"`\n - `\"SIGPWR\"`\n - `\"SIGQUIT\"`\n - `\"SIGRTMAX\"`\n - `\"SIGRTMAX-1\"`\n - `\"SIGRTMAX-10\"`\n - `\"SIGRTMAX-11\"`\n - `\"SIGRTMAX-12\"`\n - `\"SIGRTMAX-13\"`\n - `\"SIGRTMAX-14\"`\n - `\"SIGRTMAX-2\"`\n - `\"SIGRTMAX-3\"`\n - `\"SIGRTMAX-4\"`\n - `\"SIGRTMAX-5\"`\n - `\"SIGRTMAX-6\"`\n - `\"SIGRTMAX-7\"`\n - `\"SIGRTMAX-8\"`\n - `\"SIGRTMAX-9\"`\n - `\"SIGRTMIN\"`\n - `\"SIGRTMIN+1\"`\n - `\"SIGRTMIN+10\"`\n - `\"SIGRTMIN+11\"`\n - `\"SIGRTMIN+12\"`\n - `\"SIGRTMIN+13\"`\n - `\"SIGRTMIN+14\"`\n - `\"SIGRTMIN+15\"`\n - `\"SIGRTMIN+2\"`\n - `\"SIGRTMIN+3\"`\n - `\"SIGRTMIN+4\"`\n - `\"SIGRTMIN+5\"`\n - `\"SIGRTMIN+6\"`\n - `\"SIGRTMIN+7\"`\n - `\"SIGRTMIN+8\"`\n - `\"SIGRTMIN+9\"`\n - `\"SIGSEGV\"`\n - `\"SIGSTKFLT\"`\n - `\"SIGSTOP\"`\n - `\"SIGSYS\"`\n - `\"SIGTERM\"`\n - `\"SIGTRAP\"`\n - `\"SIGTSTP\"`\n - `\"SIGTTIN\"`\n - `\"SIGTTOU\"`\n - `\"SIGURG\"`\n - `\"SIGUSR1\"`\n - `\"SIGUSR2\"`\n - `\"SIGVTALRM\"`\n - `\"SIGWINCH\"`\n - `\"SIGXCPU\"`\n - `\"SIGXFSZ\"`", - Type: []string{"string"}, - Format: "", - Enum: []interface{}{"SIGABRT", "SIGALRM", "SIGBUS", "SIGCHLD", "SIGCLD", "SIGCONT", "SIGFPE", "SIGHUP", "SIGILL", "SIGINT", "SIGIO", "SIGIOT", "SIGKILL", "SIGPIPE", "SIGPOLL", "SIGPROF", "SIGPWR", "SIGQUIT", "SIGRTMAX", "SIGRTMAX-1", "SIGRTMAX-10", "SIGRTMAX-11", "SIGRTMAX-12", "SIGRTMAX-13", "SIGRTMAX-14", "SIGRTMAX-2", "SIGRTMAX-3", "SIGRTMAX-4", "SIGRTMAX-5", "SIGRTMAX-6", "SIGRTMAX-7", "SIGRTMAX-8", "SIGRTMAX-9", "SIGRTMIN", "SIGRTMIN+1", "SIGRTMIN+10", "SIGRTMIN+11", "SIGRTMIN+12", "SIGRTMIN+13", "SIGRTMIN+14", "SIGRTMIN+15", "SIGRTMIN+2", "SIGRTMIN+3", "SIGRTMIN+4", "SIGRTMIN+5", "SIGRTMIN+6", "SIGRTMIN+7", "SIGRTMIN+8", "SIGRTMIN+9", "SIGSEGV", "SIGSTKFLT", "SIGSTOP", "SIGSYS", "SIGTERM", "SIGTRAP", "SIGTSTP", "SIGTTIN", "SIGTTOU", "SIGURG", "SIGUSR1", "SIGUSR2", "SIGVTALRM", "SIGWINCH", "SIGXCPU", "SIGXFSZ"}, - }, - }, }, }, }, @@ -73019,26 +72326,6 @@ func schema_k8sio_api_core_v1_NodeStatus(ref common.ReferenceCallback) common.Op } } -func schema_k8sio_api_core_v1_NodeSwapStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "NodeSwapStatus represents swap memory information.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "capacity": { - SchemaProps: spec.SchemaProps{ - Description: "Total amount of swap memory in bytes.", - Type: []string{"integer"}, - Format: "int64", - }, - }, - }, - }, - }, - } -} - func schema_k8sio_api_core_v1_NodeSystemInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -73126,18 +72413,10 @@ func schema_k8sio_api_core_v1_NodeSystemInfo(ref common.ReferenceCallback) commo Format: "", }, }, - "swap": { - SchemaProps: spec.SchemaProps{ - Description: "Swap Info reported by the node.", - Ref: ref("k8s.io/api/core/v1.NodeSwapStatus"), - }, - }, }, Required: []string{"machineID", "systemUUID", "bootID", "kernelVersion", "osImage", "containerRuntimeVersion", "kubeletVersion", "kubeProxyVersion", "operatingSystem", "architecture"}, }, }, - Dependencies: []string{ - "k8s.io/api/core/v1.NodeSwapStatus"}, } } @@ -74407,7 +73686,7 @@ func schema_k8sio_api_core_v1_PodAffinityTerm(ref common.ReferenceCallback) comm }, }, SchemaProps: spec.SchemaProps{ - Description: "MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set.", + Description: "MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -74427,7 +73706,7 @@ func schema_k8sio_api_core_v1_PodAffinityTerm(ref common.ReferenceCallback) comm }, }, SchemaProps: spec.SchemaProps{ - Description: "MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.", + Description: "MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -74579,13 +73858,6 @@ func schema_k8sio_api_core_v1_PodCondition(ref common.ReferenceCallback) common. Format: "", }, }, - "observedGeneration": { - SchemaProps: spec.SchemaProps{ - Description: "If set, this represents the .metadata.generation that the pod condition was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.", - Type: []string{"integer"}, - Format: "int64", - }, - }, "status": { SchemaProps: spec.SchemaProps{ Description: "Status is the status of the condition. Can be True, False, Unknown. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions", @@ -75389,7 +74661,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA }, }, SchemaProps: spec.SchemaProps{ - Description: "List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/", + Description: "List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -75846,13 +75118,6 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope Description: "PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "observedGeneration": { - SchemaProps: spec.SchemaProps{ - Description: "If set, this represents the .metadata.generation that the pod status was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.", - Type: []string{"integer"}, - Format: "int64", - }, - }, "phase": { SchemaProps: spec.SchemaProps{ Description: "The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:\n\nPending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase\n\nPossible enum values:\n - `\"Failed\"` means that all containers in the pod have terminated, and at least one container has terminated in a failure (exited with a non-zero exit code or was stopped by the system).\n - `\"Pending\"` means the pod has been accepted by the system, but one or more of the containers has not been started. This includes time before being bound to a node, as well as time spent pulling images onto the host.\n - `\"Running\"` means the pod has been bound to a node and all of the containers have been started. At least one container is still running or is in the process of being restarted.\n - `\"Succeeded\"` means that all containers in the pod have voluntarily terminated with a container exit code of 0, and the system is not going to restart any of these containers.\n - `\"Unknown\"` means that for some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod. Deprecated: It isn't being set since 2015 (74da3b14b0c0f658b3bb8d2def5094686d0e9095)", @@ -76038,7 +75303,7 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope }, "resize": { SchemaProps: spec.SchemaProps{ - Description: "Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to \"Proposed\" Deprecated: Resize status is moved to two pod conditions PodResizePending and PodResizeInProgress. PodResizePending will track states where the spec has been resized, but the Kubelet has not yet allocated the resources. PodResizeInProgress will track in-progress resizes, and should be present whenever allocated resources != acknowledged resources.", + Description: "Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to \"Proposed\"", Type: []string{"string"}, Format: "", }, @@ -76999,7 +76264,6 @@ func schema_k8sio_api_core_v1_ReplicationControllerSpec(ref common.ReferenceCall "replicas": { SchemaProps: spec.SchemaProps{ Description: "Replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller", - Default: 1, Type: []string{"integer"}, Format: "int32", }, @@ -77007,7 +76271,6 @@ func schema_k8sio_api_core_v1_ReplicationControllerSpec(ref common.ReferenceCall "minReadySeconds": { SchemaProps: spec.SchemaProps{ Description: "Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)", - Default: 0, Type: []string{"integer"}, Format: "int32", }, @@ -77360,7 +76623,7 @@ func schema_k8sio_api_core_v1_ResourceQuotaSpec(ref common.ReferenceCallback) co Default: "", Type: []string{"string"}, Format: "", - Enum: []interface{}{"BestEffort", "CrossNamespacePodAffinity", "NotBestEffort", "NotTerminating", "PriorityClass", "Terminating", "VolumeAttributesClass"}, + Enum: []interface{}{"BestEffort", "CrossNamespacePodAffinity", "NotBestEffort", "NotTerminating", "PriorityClass", "Terminating"}, }, }, }, @@ -77801,11 +77064,11 @@ func schema_k8sio_api_core_v1_ScopedResourceSelectorRequirement(ref common.Refer Properties: map[string]spec.Schema{ "scopeName": { SchemaProps: spec.SchemaProps{ - Description: "The name of the scope that the selector applies to.\n\nPossible enum values:\n - `\"BestEffort\"` Match all pod objects that have best effort quality of service\n - `\"CrossNamespacePodAffinity\"` Match all pod objects that have cross-namespace pod (anti)affinity mentioned.\n - `\"NotBestEffort\"` Match all pod objects that do not have best effort quality of service\n - `\"NotTerminating\"` Match all pod objects where spec.activeDeadlineSeconds is nil\n - `\"PriorityClass\"` Match all pod objects that have priority class mentioned\n - `\"Terminating\"` Match all pod objects where spec.activeDeadlineSeconds >=0\n - `\"VolumeAttributesClass\"` Match all pvc objects that have volume attributes class mentioned.", + Description: "The name of the scope that the selector applies to.\n\nPossible enum values:\n - `\"BestEffort\"` Match all pod objects that have best effort quality of service\n - `\"CrossNamespacePodAffinity\"` Match all pod objects that have cross-namespace pod (anti)affinity mentioned.\n - `\"NotBestEffort\"` Match all pod objects that do not have best effort quality of service\n - `\"NotTerminating\"` Match all pod objects where spec.activeDeadlineSeconds is nil\n - `\"PriorityClass\"` Match all pod objects that have priority class mentioned\n - `\"Terminating\"` Match all pod objects where spec.activeDeadlineSeconds >=0", Default: "", Type: []string{"string"}, Format: "", - Enum: []interface{}{"BestEffort", "CrossNamespacePodAffinity", "NotBestEffort", "NotTerminating", "PriorityClass", "Terminating", "VolumeAttributesClass"}, + Enum: []interface{}{"BestEffort", "CrossNamespacePodAffinity", "NotBestEffort", "NotTerminating", "PriorityClass", "Terminating"}, }, }, "operator": { @@ -78954,7 +78217,7 @@ func schema_k8sio_api_core_v1_ServiceSpec(ref common.ReferenceCallback) common.O }, "trafficDistribution": { SchemaProps: spec.SchemaProps{ - Description: "TrafficDistribution offers a way to express preferences for how traffic is distributed to Service endpoints. Implementations can use this field as a hint, but are not required to guarantee strict adherence. If the field is not set, the implementation will apply its default routing strategy. If set to \"PreferClose\", implementations should prioritize endpoints that are in the same zone.", + Description: "TrafficDistribution offers a way to express preferences for how traffic is distributed to Service endpoints. Implementations can use this field as a hint, but are not required to guarantee strict adherence. If the field is not set, the implementation will apply its default routing strategy. If set to \"PreferClose\", implementations should prioritize endpoints that are topologically close (e.g., same zone). This is a beta field and requires enabling ServiceTrafficDistribution feature.", Type: []string{"string"}, Format: "", }, @@ -79437,7 +78700,7 @@ func schema_k8sio_api_core_v1_TopologySpreadConstraint(ref common.ReferenceCallb }, "nodeAffinityPolicy": { SchemaProps: spec.SchemaProps{ - Description: "NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", + Description: "NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", Type: []string{"string"}, Format: "", Enum: []interface{}{"Honor", "Ignore"}, @@ -79445,7 +78708,7 @@ func schema_k8sio_api_core_v1_TopologySpreadConstraint(ref common.ReferenceCallb }, "nodeTaintsPolicy": { SchemaProps: spec.SchemaProps{ - Description: "NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", + Description: "NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", Type: []string{"string"}, Format: "", Enum: []interface{}{"Honor", "Ignore"}, @@ -79757,7 +79020,7 @@ func schema_k8sio_api_core_v1_Volume(ref common.ReferenceCallback) common.OpenAP }, "image": { SchemaProps: spec.SchemaProps{ - Description: "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", + Description: "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", Ref: ref("k8s.io/api/core/v1.ImageVolumeSource"), }, }, @@ -80202,7 +79465,7 @@ func schema_k8sio_api_core_v1_VolumeSource(ref common.ReferenceCallback) common. }, "image": { SchemaProps: spec.SchemaProps{ - Description: "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", + Description: "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", Ref: ref("k8s.io/api/core/v1.ImageVolumeSource"), }, }, diff --git a/openapi/openapi.json b/openapi/openapi.json index 169d0ceac1c..011a1b7b7b7 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -526,6 +526,14 @@ "com.github.openshift.api.apps.v1.DeploymentConfigStatus": { "description": "DeploymentConfigStatus represents the current deployment state.", "type": "object", + "required": [ + "latestVersion", + "observedGeneration", + "replicas", + "updatedReplicas", + "availableReplicas", + "unavailableReplicas" + ], "properties": { "availableReplicas": { "description": "availableReplicas is the total number of available pods targeted by this deployment config.", @@ -2139,6 +2147,9 @@ "com.github.openshift.api.authorization.v1.SubjectRulesReviewStatus": { "description": "SubjectRulesReviewStatus is contains the result of a rules check", "type": "object", + "required": [ + "rules" + ], "properties": { "evaluationError": { "description": "evaluationError can appear in combination with Rules. It means some error happened during evaluation that may have prevented additional rules from being populated.", @@ -2471,6 +2482,9 @@ "com.github.openshift.api.build.v1.BuildConfigStatus": { "description": "BuildConfigStatus contains current state of the build config object.", "type": "object", + "required": [ + "lastVersion" + ], "properties": { "imageChangeTriggers": { "description": "imageChangeTriggers captures the runtime state of any ImageChangeTrigger specified in the BuildConfigSpec, including the value reconciled by the OpenShift APIServer for the lastTriggeredImageID. There is a single entry in this array for each image change trigger in spec. Each trigger status references the ImageStreamTag that acts as the source of the trigger.", @@ -2830,6 +2844,9 @@ "com.github.openshift.api.build.v1.BuildStatus": { "description": "BuildStatus contains the status of a build", "type": "object", + "required": [ + "phase" + ], "properties": { "cancelled": { "description": "cancelled describes if a cancel event was triggered for the build.", @@ -4137,7 +4154,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.APIServerServingCerts" }, "tlsSecurityProfile": { - "description": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nWhen omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is the Intermediate profile.", + "description": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nIf unset, a default (which may change between releases) is chosen. Note that only Old, Intermediate and Custom profiles are currently supported, and the maximum available minTLSVersion is VersionTLS12.", "$ref": "#/definitions/com.github.openshift.api.config.v1.TLSSecurityProfile" } } @@ -4165,8 +4182,7 @@ "properties": { "type": { "description": "type allows user to set a load balancer type. When this field is set the default ingresscontroller will get created using the specified LBType. If this field is not set then the default ingress controller of LBType Classic will be created. Valid values are:\n\n* \"Classic\": A Classic Load Balancer that makes routing decisions at either\n the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See\n the following for additional details:\n\n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb\n\n* \"NLB\": A Network Load Balancer that makes routing decisions at the\n transport layer (TCP/SSL). See the following for additional details:\n\n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb", - "type": "string", - "default": "" + "type": "string" } }, "x-kubernetes-unions": [ @@ -4497,8 +4513,7 @@ }, "profile": { "description": "profile specifies the name of the desired audit policy configuration to be deployed to all OpenShift-provided API servers in the cluster.\n\nThe following profiles are provided: - Default: the existing default policy. - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for write requests (create, update, patch). - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response HTTP payloads for read requests (get, list). - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.\n\nIf unset, the 'Default' profile is used as the default.", - "type": "string", - "default": "" + "type": "string" } } }, @@ -4611,6 +4626,10 @@ }, "com.github.openshift.api.config.v1.AuthenticationStatus": { "type": "object", + "required": [ + "integratedOAuthMetadata", + "oidcClients" + ], "properties": { "integratedOAuthMetadata": { "description": "integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 Authorization Server Metadata for the in-cluster integrated OAuth server. This discovery document can be viewed from its served location: oc get --raw '/.well-known/oauth-authorization-server' For further details, see the IETF Draft: https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 This contains the observed value based on cluster state. An explicitly set value in spec.oauthMetadata has precedence over this field. This field has no meaning if authentication spec.type is not set to IntegratedOAuth. The key \"oauthMetadata\" is used to locate the data. If the config map or expected key is not found, no metadata is served. If the specified metadata is not valid, no metadata is served. The namespace for this config map is openshift-config-managed.", @@ -4647,13 +4666,6 @@ "description": "armEndpoint specifies a URL to use for resource management in non-soverign clouds such as Azure Stack.", "type": "string" }, - "cloudLoadBalancerConfig": { - "description": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", - "default": { - "dnsType": "PlatformDefault" - }, - "$ref": "#/definitions/com.github.openshift.api.config.v1.CloudLoadBalancerConfig" - }, "cloudName": { "description": "cloudName is the name of the Azure cloud environment which can be used to configure the Azure SDK with the appropriate Azure API endpoints. If empty, the value is equal to `AzurePublicCloud`.", "type": "string" @@ -5115,110 +5127,6 @@ } } }, - "com.github.openshift.api.config.v1.ClusterImagePolicy": { - "description": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "description": "spec contains the configuration for the cluster image policy.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterImagePolicySpec" - }, - "status": { - "description": "status contains the observed state of the resource.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterImagePolicyStatus" - } - } - }, - "com.github.openshift.api.config.v1.ClusterImagePolicyList": { - "description": "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items is a list of ClusterImagePolices", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterImagePolicy" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - } - }, - "com.github.openshift.api.config.v1.ClusterImagePolicySpec": { - "description": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", - "type": "object", - "required": [ - "scopes", - "policy" - ], - "properties": { - "policy": { - "description": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.Policy" - }, - "scopes": { - "description": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", - "type": "array", - "items": { - "type": "string", - "default": "" - }, - "x-kubernetes-list-type": "set" - } - } - }, - "com.github.openshift.api.config.v1.ClusterImagePolicyStatus": { - "type": "object", - "properties": { - "conditions": { - "description": "conditions provide details on the status of this API Resource.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - } - } - }, "com.github.openshift.api.config.v1.ClusterNetworkEntry": { "description": "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", "type": "object", @@ -5239,7 +5147,7 @@ } }, "com.github.openshift.api.config.v1.ClusterOperator": { - "description": "ClusterOperator holds the status of a core or optional OpenShift component managed by the Cluster Version Operator (CVO). This object is used by operators to convey their state to the rest of the cluster. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "description": "ClusterOperator is the Custom Resource object which holds the current state of an operator. This object is used by operators to convey their state to the rest of the cluster.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", "required": [ "metadata", @@ -5495,7 +5403,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterVersionCapabilitiesSpec" }, "channel": { - "description": "channel is an identifier for explicitly requesting a non-default set of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters.", + "description": "channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters.", "type": "string" }, "clusterID": { @@ -5547,6 +5455,7 @@ "desired", "observedGeneration", "versionHash", + "capabilities", "availableUpdates" ], "properties": { @@ -5939,6 +5848,9 @@ "com.github.openshift.api.config.v1.ConsoleStatus": { "description": "ConsoleStatus defines the observed status of the Console.", "type": "object", + "required": [ + "consoleURL" + ], "properties": { "consoleURL": { "description": "The URL for the console. This will be derived from the host for the route that is created for the console.", @@ -6331,7 +6243,7 @@ "default": "" }, "valueExpression": { - "description": "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 1024 characters in length. valueExpression must not be empty.", + "description": "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 4096 characters in length. valueExpression must not be empty.", "type": "string", "default": "" } @@ -6485,6 +6397,9 @@ }, "com.github.openshift.api.config.v1.FeatureGateStatus": { "type": "object", + "required": [ + "featureGates" + ], "properties": { "conditions": { "description": "conditions represent the observations of the current state. Known .status.conditions.type are: \"DeterminationDegraded\"", @@ -6534,32 +6449,6 @@ } } }, - "com.github.openshift.api.config.v1.FulcioCAWithRekor": { - "description": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - "type": "object", - "required": [ - "fulcioCAData", - "rekorKeyData", - "fulcioSubject" - ], - "properties": { - "fulcioCAData": { - "description": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - "type": "string", - "format": "byte" - }, - "fulcioSubject": { - "description": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyFulcioSubject" - }, - "rekorKeyData": { - "description": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - } - } - }, "com.github.openshift.api.config.v1.GCPPlatformSpec": { "description": "GCPPlatformSpec holds the desired state of the Google Cloud Platform infrastructure provider. This only includes fields that can be modified in the cluster.", "type": "object" @@ -6614,7 +6503,7 @@ "x-kubernetes-list-type": "map" }, "serviceEndpoints": { - "description": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 11.", + "description": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 9.", "type": "array", "items": { "default": {}, @@ -6996,7 +6885,7 @@ "type": "object", "properties": { "serviceEndpoints": { - "description": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", + "description": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", "type": "array", "items": { "default": {}, @@ -7034,7 +6923,7 @@ "type": "string" }, "serviceEndpoints": { - "description": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", + "description": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", "type": "array", "items": { "default": {}, @@ -7438,110 +7327,6 @@ } } }, - "com.github.openshift.api.config.v1.ImagePolicy": { - "description": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "description": "spec holds user settable values for configuration", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.ImagePolicySpec" - }, - "status": { - "description": "status contains the observed state of the resource.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.ImagePolicyStatus" - } - } - }, - "com.github.openshift.api.config.v1.ImagePolicyList": { - "description": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items is a list of ImagePolicies", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.ImagePolicy" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - } - }, - "com.github.openshift.api.config.v1.ImagePolicySpec": { - "description": "ImagePolicySpec is the specification of the ImagePolicy CRD.", - "type": "object", - "required": [ - "scopes", - "policy" - ], - "properties": { - "policy": { - "description": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.Policy" - }, - "scopes": { - "description": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", - "type": "array", - "items": { - "type": "string", - "default": "" - }, - "x-kubernetes-list-type": "set" - } - } - }, - "com.github.openshift.api.config.v1.ImagePolicyStatus": { - "type": "object", - "properties": { - "conditions": { - "description": "conditions provide details on the status of this API Resource. condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - } - } - }, "com.github.openshift.api.config.v1.ImageSpec": { "type": "object", "properties": { @@ -7798,6 +7583,14 @@ "com.github.openshift.api.config.v1.InfrastructureStatus": { "description": "InfrastructureStatus describes the infrastructure the cluster is leveraging.", "type": "object", + "required": [ + "infrastructureName", + "etcdDiscoveryDomain", + "apiServerURL", + "apiServerInternalURI", + "controlPlaneTopology", + "infrastructureTopology" + ], "properties": { "apiServerInternalURI": { "description": "apiServerInternalURL is a valid URI with scheme 'https', address and optionally a port (defaulting to 443). apiServerInternalURL can be used by components like kubelets, to contact the Kubernetes API server using the infrastructure provider rather than Kubernetes networking.", @@ -7831,7 +7624,8 @@ }, "infrastructureTopology": { "description": "infrastructureTopology expresses the expectations for infrastructure services that do not run on control plane nodes, usually indicated by a node selector for a `role` value other than `master`. The default is 'HighlyAvailable', which represents the behavior operators have in a \"normal\" cluster. The 'SingleReplica' mode will be used in single-node deployments and the operators should not configure the operand for highly-available operation NOTE: External topology mode is not applicable for this field.", - "type": "string" + "type": "string", + "default": "" }, "platform": { "description": "platform is the underlying infrastructure provider for the cluster.\n\nDeprecated: Use platformStatus.type instead.", @@ -8989,36 +8783,37 @@ } }, "com.github.openshift.api.config.v1.OIDCClientConfig": { - "description": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", "type": "object", "required": [ "componentName", "componentNamespace", - "clientID" + "clientID", + "clientSecret", + "extraScopes" ], "properties": { "clientID": { - "description": "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").", + "description": "clientID is the identifier of the OIDC client from the OIDC provider", "type": "string", "default": "" }, "clientSecret": { - "description": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", + "description": "clientSecret refers to a secret in the `openshift-config` namespace that contains the client secret in the `clientSecret` key of the `.data` field", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.SecretNameReference" }, "componentName": { - "description": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "description": "componentName is the name of the component that is supposed to consume this client configuration", "type": "string", "default": "" }, "componentNamespace": { - "description": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "description": "componentNamespace is the namespace of the component that is supposed to consume this client configuration", "type": "string", "default": "" }, "extraScopes": { - "description": "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.", + "description": "extraScopes is an optional set of scopes to request tokens with.", "type": "array", "items": { "type": "string", @@ -9029,7 +8824,6 @@ } }, "com.github.openshift.api.config.v1.OIDCClientReference": { - "description": "OIDCClientReference is a reference to a platform component client configuration.", "type": "object", "required": [ "oidcProviderName", @@ -9038,37 +8832,38 @@ ], "properties": { "clientID": { - "description": "clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.\n\nclientID must not be empty.", + "description": "clientID is the identifier of the OIDC client from the OIDC provider", "type": "string", "default": "" }, "issuerURL": { - "description": "issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.\n\nissuerURL must use the 'https' scheme.", + "description": "URL is the serving URL of the token issuer. Must use the https:// scheme.", "type": "string", "default": "" }, "oidcProviderName": { - "description": "oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.\n\noidcProviderName must not be an empty string (\"\").", + "description": "OIDCName refers to the `name` of the provider from `oidcProviders`", "type": "string", "default": "" } } }, "com.github.openshift.api.config.v1.OIDCClientStatus": { - "description": "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.", "type": "object", "required": [ "componentName", - "componentNamespace" + "componentNamespace", + "currentOIDCClients", + "consumingUsers" ], "properties": { "componentName": { - "description": "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "description": "componentName is the name of the component that will consume a client configuration.", "type": "string", "default": "" }, "componentNamespace": { - "description": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "description": "componentNamespace is the namespace of the component that will consume a client configuration.", "type": "string", "default": "" }, @@ -9085,7 +8880,7 @@ "x-kubernetes-list-type": "map" }, "consumingUsers": { - "description": "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.", + "description": "consumingUsers is a slice of ServiceAccounts that need to have read permission on the `clientSecret` secret.", "type": "array", "items": { "type": "string", @@ -9094,7 +8889,7 @@ "x-kubernetes-list-type": "set" }, "currentOIDCClients": { - "description": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", + "description": "currentOIDCClients is a list of clients that the component is currently using.", "type": "array", "items": { "default": {}, @@ -9113,16 +8908,17 @@ "required": [ "name", "issuer", + "oidcClients", "claimMappings" ], "properties": { "claimMappings": { - "description": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", + "description": "claimMappings describes rules on how to transform information from an ID token into a cluster identity", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.TokenClaimMappings" }, "claimValidationRules": { - "description": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", + "description": "claimValidationRules are rules that are applied to validate token claims to authenticate users.", "type": "array", "items": { "default": {}, @@ -9131,17 +8927,17 @@ "x-kubernetes-list-type": "atomic" }, "issuer": { - "description": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", + "description": "issuer describes atributes of the OIDC token issuer", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.TokenIssuer" }, "name": { - "description": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", + "description": "name of the OIDC provider", "type": "string", "default": "" }, "oidcClients": { - "description": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", + "description": "oidcClients contains configuration for the platform's clients that need to request tokens from the issuer", "type": "array", "items": { "default": {}, @@ -9152,6 +8948,14 @@ "componentName" ], "x-kubernetes-list-type": "map" + }, + "userValidationRules": { + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.TokenUserValidationRule" + }, + "x-kubernetes-list-type": "atomic" } } }, @@ -9575,45 +9379,6 @@ } } }, - "com.github.openshift.api.config.v1.PKI": { - "description": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - "type": "object", - "required": [ - "caRootsData", - "pkiCertificateSubject" - ], - "properties": { - "caIntermediatesData": { - "description": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", - "type": "string", - "format": "byte" - }, - "caRootsData": { - "description": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", - "type": "string", - "format": "byte" - }, - "pkiCertificateSubject": { - "description": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.PKICertificateSubject" - } - } - }, - "com.github.openshift.api.config.v1.PKICertificateSubject": { - "description": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - "type": "object", - "properties": { - "email": { - "description": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email must be a valid email address and at most 320 characters in length.", - "type": "string" - }, - "hostname": { - "description": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", - "type": "string" - } - } - }, "com.github.openshift.api.config.v1.PlatformSpec": { "description": "PlatformSpec holds the desired state specific to the underlying infrastructure provider of the current cluster. Since these are used at spec-level for the underlying cluster, it is supposed that only one of the spec structs is set.", "type": "object", @@ -9754,143 +9519,6 @@ } } }, - "com.github.openshift.api.config.v1.Policy": { - "description": "Policy defines the verification policy for the items in the scopes list.", - "type": "object", - "required": [ - "rootOfTrust" - ], - "properties": { - "rootOfTrust": { - "description": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyRootOfTrust" - }, - "signedIdentity": { - "description": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", - "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyIdentity" - } - } - }, - "com.github.openshift.api.config.v1.PolicyFulcioSubject": { - "description": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", - "type": "object", - "required": [ - "oidcIssuer", - "signedEmail" - ], - "properties": { - "oidcIssuer": { - "description": "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", - "type": "string", - "default": "" - }, - "signedEmail": { - "description": "signedEmail is a required field holds the email address that the Fulcio certificate is issued for. The signedEmail must be a valid email address and at most 320 characters in length. Example: \"expected-signing-user@example.com\"", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.config.v1.PolicyIdentity": { - "description": "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", - "type": "object", - "required": [ - "matchPolicy" - ], - "properties": { - "exactRepository": { - "description": "exactRepository specifies the repository that must be exactly matched by the identity in the signature. exactRepository is required if matchPolicy is set to \"ExactRepository\". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.", - "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyMatchExactRepository" - }, - "matchPolicy": { - "description": "matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. Allowed values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". When set to \"MatchRepoDigestOrExact\", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. When set to \"MatchRepository\", the identity in the signature must be in the same repository as the image identity. When set to \"ExactRepository\", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by \"repository\". When set to \"RemapIdentity\", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", - "type": "string", - "default": "" - }, - "remapIdentity": { - "description": "remapIdentity specifies the prefix remapping rule for verifying image identity. remapIdentity is required if matchPolicy is set to \"RemapIdentity\". It is used to verify that the signature claims a different registry/repository prefix than the original image.", - "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyMatchRemapIdentity" - } - }, - "x-kubernetes-unions": [ - { - "discriminator": "matchPolicy", - "fields-to-discriminateBy": { - "exactRepository": "PolicyMatchExactRepository", - "remapIdentity": "PolicyMatchRemapIdentity" - } - } - ] - }, - "com.github.openshift.api.config.v1.PolicyMatchExactRepository": { - "type": "object", - "required": [ - "repository" - ], - "properties": { - "repository": { - "description": "repository is the reference of the image identity to be matched. repository is required if matchPolicy is set to \"ExactRepository\". The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.config.v1.PolicyMatchRemapIdentity": { - "type": "object", - "required": [ - "prefix", - "signedPrefix" - ], - "properties": { - "prefix": { - "description": "prefix is required if matchPolicy is set to \"RemapIdentity\". prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", - "type": "string", - "default": "" - }, - "signedPrefix": { - "description": "signedPrefix is required if matchPolicy is set to \"RemapIdentity\". signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.config.v1.PolicyRootOfTrust": { - "description": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - "type": "object", - "required": [ - "policyType" - ], - "properties": { - "fulcioCAWithRekor": { - "description": "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", - "$ref": "#/definitions/com.github.openshift.api.config.v1.FulcioCAWithRekor" - }, - "pki": { - "description": "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", - "$ref": "#/definitions/com.github.openshift.api.config.v1.PKI" - }, - "policyType": { - "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", - "type": "string", - "default": "" - }, - "publicKey": { - "description": "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", - "$ref": "#/definitions/com.github.openshift.api.config.v1.PublicKey" - } - }, - "x-kubernetes-unions": [ - { - "discriminator": "policyType", - "fields-to-discriminateBy": { - "fulcioCAWithRekor": "FulcioCAWithRekor", - "pki": "PKI", - "publicKey": "PublicKey" - } - } - ] - }, "com.github.openshift.api.config.v1.PowerVSPlatformSpec": { "description": "PowerVSPlatformSpec holds the desired state of the IBM Power Systems Virtual Servers infrastructure provider. This only includes fields that can be modified in the cluster.", "type": "object", @@ -9975,19 +9603,19 @@ } }, "com.github.openshift.api.config.v1.PrefixedClaimMapping": { - "description": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", "type": "object", "required": [ - "claim" + "claim", + "prefix" ], "properties": { "claim": { - "description": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", + "description": "claim is a JWT token claim to be used in the mapping", "type": "string", "default": "" }, "prefix": { - "description": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + "description": "prefix is a string to prefix the value from the token in the result of the claim mapping.\n\nBy default, no prefixing occurs.\n\nExample: if `prefix` is set to \"myoidc:\"\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", "type": "string", "default": "" } @@ -10210,25 +9838,6 @@ } } }, - "com.github.openshift.api.config.v1.PublicKey": { - "description": "PublicKey defines the root of trust based on a sigstore public key.", - "type": "object", - "required": [ - "keyData" - ], - "properties": { - "keyData": { - "description": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - }, - "rekorKeyData": { - "description": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - } - } - }, "com.github.openshift.api.config.v1.RegistryLocation": { "description": "RegistryLocation contains a location of the registry specified by the registry domain name. The domain name might include wildcards, like '*' or '??'.", "type": "object", @@ -10875,14 +10484,13 @@ "type": "object" }, "com.github.openshift.api.config.v1.TokenClaimMapping": { - "description": "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", "type": "object", "required": [ "claim" ], "properties": { "claim": { - "description": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", + "description": "claim is a JWT token claim to be used in the mapping", "type": "string", "default": "" } @@ -10890,12 +10498,9 @@ }, "com.github.openshift.api.config.v1.TokenClaimMappings": { "type": "object", - "required": [ - "username" - ], "properties": { "extra": { - "description": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", + "description": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 64 extra attribute mappings may be provided.", "type": "array", "items": { "default": {}, @@ -10907,7 +10512,7 @@ "x-kubernetes-list-type": "map" }, "groups": { - "description": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", + "description": "groups is a name of the claim that should be used to construct groups for the cluster identity. The referenced claim must use array of strings values.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.PrefixedClaimMapping" }, @@ -10916,7 +10521,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.TokenClaimOrExpressionMapping" }, "username": { - "description": "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.", + "description": "username is a name of the claim that should be used to construct usernames for the cluster identity.\n\nDefault value: \"sub\"", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.UsernameClaimMapping" } @@ -10931,7 +10536,7 @@ "type": "string" }, "expression": { - "description": "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length.", + "description": "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 4096 characters in length.", "type": "string" } } @@ -10942,12 +10547,16 @@ "type" ], "properties": { + "expressionRule": { + "description": "expressionRule contains the configuration for the \"Expression\" type. Must be set if type == \"Expression\".", + "$ref": "#/definitions/com.github.openshift.api.config.v1.TokenExpressionRule" + }, "requiredClaim": { - "description": "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.", + "description": "requiredClaim allows configuring a required claim name and its expected value. RequiredClaim is used when type is RequiredClaim.", "$ref": "#/definitions/com.github.openshift.api.config.v1.TokenRequiredClaim" }, "type": { - "description": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.", + "description": "type sets the type of the validation rule", "type": "string", "default": "" } @@ -10973,15 +10582,37 @@ } } }, + "com.github.openshift.api.config.v1.TokenExpressionRule": { + "type": "object", + "required": [ + "expression" + ], + "properties": { + "expression": { + "description": "Expression is a CEL expression evaluated against token claims. The expression must be a non-empty string and no longer than 4096 characters. This field is required.", + "type": "string", + "default": "" + }, + "message": { + "description": "Message allows configuring the human-readable message that is returned from the Kubernetes API server when a token fails validation based on the CEL expression defined in 'expression'. This field is optional.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.TokenIssuer": { "type": "object", "required": [ "issuerURL", - "audiences" + "audiences", + "issuerCertificateAuthority" ], "properties": { + "audienceMatchPolicy": { + "description": "audienceMatchPolicy specifies how token audiences are matched. If omitted, the system applies a default policy. Valid values are: - \"MatchAny\": The token is accepted if any of its audiences match any of the configured audiences.", + "type": "string" + }, "audiences": { - "description": "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", + "description": "audiences is an array of audiences that the token was issued for. Valid tokens must include at least one of these values in their \"aud\" claim. Must be set to exactly one value.", "type": "array", "items": { "type": "string", @@ -10989,13 +10620,16 @@ }, "x-kubernetes-list-type": "set" }, + "discoveryURL": { + "type": "string" + }, "issuerCertificateAuthority": { - "description": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", + "description": "CertificateAuthority is a reference to a config map in the configuration namespace. The .data of the configMap must contain the \"ca-bundle.crt\" key. If unset, system trust is used instead.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.ConfigMapNameReference" }, "issuerURL": { - "description": "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nMust be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.", + "description": "URL is the serving URL of the token issuer. Must use the https:// scheme.", "type": "string", "default": "" } @@ -11009,17 +10643,34 @@ ], "properties": { "claim": { - "description": "claim is a required field that configures the name of the required claim. When taken from the JWT claims, claim must be a string value.\n\nclaim must not be an empty string (\"\").", + "description": "claim is a name of a required claim. Only claims with string values are supported.", "type": "string", "default": "" }, "requiredValue": { - "description": "requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. If the value in the JWT claims does not match, the token will be rejected for authentication.\n\nrequiredValue must not be an empty string (\"\").", + "description": "requiredValue is the required value for the claim.", "type": "string", "default": "" } } }, + "com.github.openshift.api.config.v1.TokenUserValidationRule": { + "description": "TokenUserValidationRule provides a CEL-based rule used to validate a token subject. Each rule contains a CEL expression that is evaluated against the token’s claims. If the expression evaluates to false, the token is rejected. See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. At least one rule must evaluate to true for the token to be considered valid.", + "type": "object", + "required": [ + "expression" + ], + "properties": { + "expression": { + "description": "Expression is a CEL expression that must evaluate to true for the token to be accepted. The expression is evaluated against the token's user information (e.g., username, groups). This field must be non-empty and may not exceed 4096 characters.", + "type": "string" + }, + "message": { + "description": "Message is an optional, human-readable message returned by the API server when this validation rule fails. It can help clarify why a token was rejected.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.Update": { "description": "Update represents an administrator update request.", "type": "object", @@ -11058,7 +10709,7 @@ ], "properties": { "acceptedRisks": { - "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overriden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", "type": "string" }, "completionTime": { @@ -11094,43 +10745,33 @@ "com.github.openshift.api.config.v1.UsernameClaimMapping": { "type": "object", "required": [ - "claim" + "claim", + "prefixPolicy", + "prefix" ], "properties": { "claim": { - "description": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", + "description": "claim is a JWT token claim to be used in the mapping", "type": "string", "default": "" }, "prefix": { - "description": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", "$ref": "#/definitions/com.github.openshift.api.config.v1.UsernamePrefix" }, "prefixPolicy": { - "description": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", + "description": "prefixPolicy specifies how a prefix should apply.\n\nBy default, claims other than `email` will be prefixed with the issuer URL to prevent naming clashes with other plugins.\n\nSet to \"NoPrefix\" to disable prefixing.\n\nExample:\n (1) `prefix` is set to \"myoidc:\" and `claim` is set to \"username\".\n If the JWT claim `username` contains value `userA`, the resulting\n mapped value will be \"myoidc:userA\".\n (2) `prefix` is set to \"myoidc:\" and `claim` is set to \"email\". If the\n JWT `email` claim contains value \"userA@myoidc.tld\", the resulting\n mapped value will be \"myoidc:userA@myoidc.tld\".\n (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n (a) \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n (b) \"email\": the mapped value will be \"userA@myoidc.tld\"", "type": "string", "default": "" } - }, - "x-kubernetes-unions": [ - { - "discriminator": "prefixPolicy", - "fields-to-discriminateBy": { - "claim": "Claim", - "prefix": "Prefix" - } - } - ] + } }, "com.github.openshift.api.config.v1.UsernamePrefix": { - "description": "UsernamePrefix configures the string that should be used as a prefix for username claim mappings.", "type": "object", "required": [ "prefixString" ], "properties": { "prefixString": { - "description": "prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.\n\nprefixString must not be an empty string (\"\").", "type": "string", "default": "" } @@ -11529,102 +11170,6 @@ } } }, - "com.github.openshift.api.config.v1alpha1.AlertmanagerConfig": { - "description": "alertmanagerConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.", - "type": "object", - "required": [ - "deploymentMode" - ], - "properties": { - "customConfig": { - "description": "customConfig must be set when deploymentMode is CustomConfig, and must be unset otherwise. When set to CustomConfig, the Alertmanager will be deployed with custom configuration.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.AlertmanagerCustomConfig" - }, - "deploymentMode": { - "description": "deploymentMode determines whether the default Alertmanager instance should be deployed as part of the monitoring stack. Allowed values are Disabled, DefaultConfig, and CustomConfig. When set to Disabled, the Alertmanager instance will not be deployed. When set to DefaultConfig, the platform will deploy Alertmanager with default settings. When set to CustomConfig, the Alertmanager will be deployed with custom configuration.", - "type": "string" - } - } - }, - "com.github.openshift.api.config.v1alpha1.AlertmanagerCustomConfig": { - "description": "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.", - "type": "object", - "properties": { - "logLevel": { - "description": "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", - "type": "string" - }, - "nodeSelector": { - "description": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", - "type": "object", - "additionalProperties": { - "type": "string", - "default": "" - } - }, - "resources": { - "description": "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ContainerResource" - }, - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map" - }, - "secrets": { - "description": "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret- and mounted at /etc/alertmanager/secrets/ within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.", - "type": "array", - "items": { - "type": "string", - "default": "" - }, - "x-kubernetes-list-type": "set" - }, - "tolerations": { - "description": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/io.k8s.api.core.v1.Toleration" - }, - "x-kubernetes-list-type": "atomic" - }, - "topologySpreadConstraints": { - "description": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/io.k8s.api.core.v1.TopologySpreadConstraint" - }, - "x-kubernetes-list-map-keys": [ - "topologyKey", - "whenUnsatisfiable" - ], - "x-kubernetes-list-type": "map" - }, - "volumeClaimTemplate": { - "description": "volumeClaimTemplate Defines persistent storage for Alertmanager. Use this setting to configure the persistent volume claim, including storage class, volume size, and name. If omitted, the Pod uses ephemeral storage and alert data will not persist across restarts. This field is optional.", - "$ref": "#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim" - } - } - }, - "com.github.openshift.api.config.v1alpha1.Audit": { - "description": "Audit profile configurations", - "type": "object", - "required": [ - "profile" - ], - "properties": { - "profile": { - "description": "profile is a required field for configuring the audit log level of the Kubernetes Metrics Server. Allowed values are None, Metadata, Request, or RequestResponse. When set to None, audit logging is disabled and no audit events are recorded. When set to Metadata, only request metadata (such as requesting user, timestamp, resource, verb, etc.) is logged, but not the request or response body. When set to Request, event metadata and the request body are logged, but not the response body. When set to RequestResponse, event metadata, request body, and response body are all logged, providing the most detailed audit information.\n\nSee: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy for more information about auditing and log levels.", - "type": "string" - } - } - }, "com.github.openshift.api.config.v1alpha1.Backup": { "description": "Backup provides configuration for performing backups of the openshift cluster.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -11868,49 +11413,21 @@ "com.github.openshift.api.config.v1alpha1.ClusterMonitoringSpec": { "description": "ClusterMonitoringSpec defines the desired state of Cluster Monitoring Operator", "type": "object", + "required": [ + "userDefined" + ], "properties": { - "alertmanagerConfig": { - "description": "alertmanagerConfig allows users to configure how the default Alertmanager instance should be deployed in the `openshift-monitoring` namespace. alertmanagerConfig is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `DefaultConfig`.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.AlertmanagerConfig" - }, - "metricsServerConfig": { - "description": "metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.MetricsServerConfig" - }, "userDefined": { - "description": "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. userDefined is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `Disabled`.", + "description": "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.UserDefinedMonitoring" } } }, "com.github.openshift.api.config.v1alpha1.ClusterMonitoringStatus": { - "description": "ClusterMonitoringStatus defines the observed state of ClusterMonitoring", + "description": "MonitoringOperatorStatus defines the observed state of MonitoringOperator", "type": "object" }, - "com.github.openshift.api.config.v1alpha1.ContainerResource": { - "description": "ContainerResource defines a single resource requirement for a container.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "limit": { - "description": "limit is the maximum amount of the resource allowed (e.g. \"2Mi\", \"1Gi\"). This field is optional. When request is specified, limit cannot be less than request. The value must be greater than 0 when specified.", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" - }, - "name": { - "description": "name of the resource (e.g. \"cpu\", \"memory\", \"hugepages-2Mi\"). This field is required. name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character.", - "type": "string" - }, - "request": { - "description": "request is the minimum amount of the resource required (e.g. \"2Mi\", \"1Gi\"). This field is optional. When limit is specified, request cannot be greater than limit.", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" - } - } - }, "com.github.openshift.api.config.v1alpha1.EtcdBackupSpec": { "description": "EtcdBackupSpec provides configuration for automated etcd backups to the cluster-etcd-operator", "type": "object", @@ -12163,63 +11680,6 @@ "com.github.openshift.api.config.v1alpha1.InsightsDataGatherStatus": { "type": "object" }, - "com.github.openshift.api.config.v1alpha1.MetricsServerConfig": { - "description": "MetricsServerConfig provides configuration options for the Metrics Server instance that runs in the `openshift-monitoring` namespace. Use this configuration to control how the Metrics Server instance is deployed, how it logs, and how its pods are scheduled.", - "type": "object", - "properties": { - "audit": { - "description": "audit defines the audit configuration used by the Metrics Server instance. audit is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default sets audit.profile to Metadata", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Audit" - }, - "nodeSelector": { - "description": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", - "type": "object", - "additionalProperties": { - "type": "string", - "default": "" - } - }, - "resources": { - "description": "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ContainerResource" - }, - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map" - }, - "tolerations": { - "description": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/io.k8s.api.core.v1.Toleration" - }, - "x-kubernetes-list-type": "atomic" - }, - "topologySpreadConstraints": { - "description": "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/io.k8s.api.core.v1.TopologySpreadConstraint" - }, - "x-kubernetes-list-map-keys": [ - "topologyKey", - "whenUnsatisfiable" - ], - "x-kubernetes-list-type": "map" - }, - "verbosity": { - "description": "verbosity defines the verbosity of log messages for Metrics Server. Valid values are Errors, Info, Trace, TraceAll and omitted. When set to Errors, only critical messages and errors are logged. When set to Info, only basic information messages are logged. When set to Trace, information useful for general debugging is logged. When set to TraceAll, detailed information about metric scraping is logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Errors`", - "type": "string" - } - } - }, "com.github.openshift.api.config.v1alpha1.PKI": { "description": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", "type": "object", @@ -12409,7 +11869,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PKI" }, "policyType": { - "description": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "description": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", "type": "string", "default": "" }, @@ -12458,8 +11918,7 @@ "maxNumberOfBackups": { "description": "maxNumberOfBackups defines the maximum number of backups to retain. If the existing number of backups saved is equal to MaxNumberOfBackups then the oldest backup will be removed before a new backup is initiated.", "type": "integer", - "format": "int32", - "default": 0 + "format": "int32" } } }, @@ -12508,8 +11967,7 @@ "maxSizeOfBackupsGb": { "description": "maxSizeOfBackupsGb defines the total size in GB of backups to retain. If the current total size backups exceeds MaxSizeOfBackupsGb then the oldest backup will be removed before a new backup is initiated.", "type": "integer", - "format": "int32", - "default": 0 + "format": "int32" } } }, @@ -12539,7 +11997,7 @@ ], "properties": { "mode": { - "description": "mode defines the different configurations of UserDefinedMonitoring Valid values are Disabled and NamespaceIsolated Disabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. NamespaceIsolated enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level. The current default value is `Disabled`.\n\nPossible enum values:\n - `\"Disabled\"` disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces.\n - `\"NamespaceIsolated\"` enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level.", + "description": "mode defines the different configurations of UserDefinedMonitoring Valid values are Disabled and NamespaceIsolated Disabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. NamespaceIsolated enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level.\n\nPossible enum values:\n - `\"Disabled\"` disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces.\n - `\"NamespaceIsolated\"` enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level.", "type": "string", "default": "", "enum": [ @@ -13359,7 +12817,8 @@ "properties": { "basePath": { "description": "basePath is the path to the plugin's assets. The primary asset it the manifest file called `plugin-manifest.json`, which is a JSON document that contains metadata about the plugin and the extensions.", - "type": "string" + "type": "string", + "default": "" }, "name": { "description": "name of Service that is serving the plugin assets.", @@ -14009,8 +13468,7 @@ }, "type": { "description": "type determines which of the union members should be populated.", - "type": "string", - "default": "" + "type": "string" } }, "x-kubernetes-unions": [ @@ -14031,8 +13489,7 @@ "properties": { "type": { "description": "type is the discriminator. It has different values for Default and for TechPreviewNoUpgrade", - "type": "string", - "default": "" + "type": "string" } } }, @@ -15224,6 +14681,9 @@ "com.github.openshift.api.image.v1.ImageStreamStatus": { "description": "ImageStreamStatus contains information about the state of this image stream.", "type": "object", + "required": [ + "dockerImageRepository" + ], "properties": { "dockerImageRepository": { "description": "dockerImageRepository represents the effective location this stream may be accessed at. May be empty until the server determines where the repository is located", @@ -16074,393 +15534,6 @@ } } }, - "com.github.openshift.api.insights.v1alpha2.Custom": { - "description": "custom provides the custom configuration of gatherers", - "type": "object", - "required": [ - "configs" - ], - "properties": { - "configs": { - "description": "configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. It may not exceed 100 items and each gatherer can be present only once. It is possible to disable an entire set of gatherers while allowing a specific function within that set. The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.GathererConfig" - }, - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map" - } - } - }, - "com.github.openshift.api.insights.v1alpha2.DataGather": { - "description": "DataGather provides data gather configuration options and status for the particular Insights data gathering.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "description": "spec holds user settable values for configuration", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.DataGatherSpec" - }, - "status": { - "description": "status holds observed values from the cluster. They may not be overridden.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.DataGatherStatus" - } - } - }, - "com.github.openshift.api.insights.v1alpha2.DataGatherList": { - "description": "DataGatherList is a collection of items\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items contains a list of DataGather resources.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.DataGather" - }, - "x-kubernetes-list-type": "atomic" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - } - }, - "com.github.openshift.api.insights.v1alpha2.DataGatherSpec": { - "description": "DataGatherSpec contains the configuration for the DataGather.", - "type": "object", - "properties": { - "dataPolicy": { - "description": "dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. It may not exceed 2 items and must not contain duplicates. Valid values are ObfuscateNetworking and WorkloadNames. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. When omitted no obfuscation is applied.", - "type": "array", - "items": { - "type": "string", - "default": "" - }, - "x-kubernetes-list-type": "atomic" - }, - "gatherers": { - "description": "gatherers is an optional field that specifies the configuration of the gatherers. If omitted, all gatherers will be run.", - "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.Gatherers" - }, - "storage": { - "description": "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", - "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.Storage" - } - } - }, - "com.github.openshift.api.insights.v1alpha2.DataGatherStatus": { - "description": "DataGatherStatus contains information relating to the DataGather state.", - "type": "object", - "properties": { - "conditions": { - "description": "conditions is an optional field that provides details on the status of the gatherer job. It may not exceed 100 items and must not contain duplicates.\n\nThe current condition types are DataUploaded, DataRecorded, DataProcessed, RemoteConfigurationNotAvailable, RemoteConfigurationInvalid\n\nThe DataUploaded condition is used to represent whether or not the archive was successfully uploaded for further processing. When it has a status of True and a reason of Succeeded, the archive was successfully uploaded. When it has a status of Unknown and a reason of NoUploadYet, the upload has not occurred, or there was no data to upload. When it has a status of False and a reason Failed, the upload failed. The accompanying message will include the specific error encountered.\n\nThe DataRecorded condition is used to represent whether or not the archive was successfully recorded. When it has a status of True and a reason of Succeeded, the archive was recorded successfully. When it has a status of Unknown and a reason of NoDataGatheringYet, the data gathering process has not started yet. When it has a status of False and a reason of RecordingFailed, the recording failed and a message will include the specific error encountered.\n\nThe DataProcessed condition is used to represent whether or not the archive was processed by the processing service. When it has a status of True and a reason of Processed, the data was processed successfully. When it has a status of Unknown and a reason of NothingToProcessYet, there is no data to process at the moment. When it has a status of False and a reason of Failure, processing failed and a message will include the specific error encountered.\n\nThe RemoteConfigurationAvailable condition is used to represent whether the remote configuration is available. When it has a status of Unknown and a reason of Unknown or RemoteConfigNotRequestedYet, the state of the remote configuration is unknown—typically at startup. When it has a status of True and a reason of Succeeded, the configuration is available. When it has a status of False and a reason of NoToken, the configuration was disabled by removing the cloud.openshift.com field from the pull secret. When it has a status of False and a reason of DisabledByConfiguration, the configuration was disabled in insightsdatagather.config.openshift.io.\n\nThe RemoteConfigurationValid condition is used to represent whether the remote configuration is valid. When it has a status of Unknown and a reason of Unknown or NoValidationYet, the validity of the remote configuration is unknown—typically at startup. When it has a status of True and a reason of Succeeded, the configuration is valid. When it has a status of False and a reason of Invalid, the configuration is invalid.\n\nThe Progressing condition is used to represent the phase of gathering When it has a status of False and the reason is DataGatherPending, the gathering has not started yet. When it has a status of True and reason is Gathering, the gathering is running. When it has a status of False and reason is GatheringSucceeded, the gathering succesfully finished. When it has a status of False and reason is GatheringFailed, the gathering failed.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "finishTime": { - "description": "finishTime is the time when Insights data gathering finished.", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" - }, - "gatherers": { - "description": "gatherers is a list of active gatherers (and their statuses) in the last gathering.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.GathererStatus" - }, - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map" - }, - "insightsReport": { - "description": "insightsReport provides general Insights analysis results. When omitted, this means no data gathering has taken place yet or the corresponding Insights analysis (identified by \"insightsRequestID\") is not available.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.InsightsReport" - }, - "insightsRequestID": { - "description": "insightsRequestID is an optional Insights request ID to track the status of the Insights analysis (in console.redhat.com processing pipeline) for the corresponding Insights data archive. It may not exceed 256 characters and is immutable once set.", - "type": "string" - }, - "relatedObjects": { - "description": "relatedObjects is an optional list of resources which are useful when debugging or inspecting the data gathering Pod It may not exceed 100 items and must not contain duplicates.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.ObjectReference" - }, - "x-kubernetes-list-map-keys": [ - "name", - "namespace" - ], - "x-kubernetes-list-type": "map" - }, - "startTime": { - "description": "startTime is the time when Insights data gathering started.", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" - } - } - }, - "com.github.openshift.api.insights.v1alpha2.GathererConfig": { - "description": "gathererConfig allows to configure specific gatherers", - "type": "object", - "required": [ - "name", - "state" - ], - "properties": { - "name": { - "description": "name is the required name of a specific gatherer It may not exceed 256 characters. The format for a gatherer name is: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", - "type": "string", - "default": "" - }, - "state": { - "description": "state is a required field that allows you to configure specific gatherer. Valid values are \"Enabled\" and \"Disabled\". When set to Enabled the gatherer will run. When set to Disabled the gatherer will not run.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.insights.v1alpha2.GathererStatus": { - "description": "gathererStatus represents information about a particular data gatherer.", - "type": "object", - "required": [ - "name", - "lastGatherSeconds" - ], - "properties": { - "conditions": { - "description": "conditions provide details on the status of each gatherer.\n\nThe current condition type is DataGathered\n\nThe DataGathered condition is used to represent whether or not the data was gathered by a gatherer specified by name. When it has a status of True and a reason of GatheredOK, the data has been successfully gathered as expected. When it has a status of False and a reason of NoData, no data was gathered—for example, when the resource is not present in the cluster. When it has a status of False and a reason of GatherError, an error occurred and no data was gathered. When it has a status of False and a reason of GatherPanic, a panic occurred during gathering and no data was collected. When it has a status of False and a reason of GatherWithErrorReason, data was partially gathered or gathered with an error message.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "lastGatherSeconds": { - "description": "lastGatherSeconds is required field that represents the time spent gathering in seconds", - "type": "integer", - "format": "int32", - "default": 0 - }, - "name": { - "description": "name is the required name of the gatherer. It must contain at least 5 characters and may not exceed 256 characters.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.insights.v1alpha2.Gatherers": { - "description": "Gathereres specifies the configuration of the gatherers", - "type": "object", - "required": [ - "mode" - ], - "properties": { - "custom": { - "description": "custom provides gathering configuration. It is required when mode is Custom, and forbidden otherwise. Custom configuration allows user to disable only a subset of gatherers. Gatherers that are not explicitly disabled in custom configuration will run.", - "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.Custom" - }, - "mode": { - "description": "mode is a required field that specifies the mode for gatherers. Allowed values are All and Custom. When set to All, all gatherers wil run and gather data. When set to Custom, the custom configuration from the custom field will be applied.", - "type": "string", - "default": "" - } - }, - "x-kubernetes-unions": [ - { - "discriminator": "mode", - "fields-to-discriminateBy": { - "custom": "Custom" - } - } - ] - }, - "com.github.openshift.api.insights.v1alpha2.HealthCheck": { - "description": "healthCheck represents an Insights health check attributes.", - "type": "object", - "required": [ - "description", - "totalRisk", - "advisorURI" - ], - "properties": { - "advisorURI": { - "description": "advisorURI is required field that provides the URL link to the Insights Advisor. The link must be a valid HTTPS URL and the maximum length is 2048 characters.", - "type": "string", - "default": "" - }, - "description": { - "description": "description is required field that provides basic description of the healtcheck. It must contain at least 10 characters and may not exceed 2048 characters.", - "type": "string", - "default": "" - }, - "totalRisk": { - "description": "totalRisk is the required field of the healthcheck. It is indicator of the total risk posed by the detected issue; combination of impact and likelihood. Allowed values are Low, Medium, Important and Critical. The value represents the severity of the issue.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.insights.v1alpha2.InsightsReport": { - "description": "insightsReport provides Insights health check report based on the most recently sent Insights data.", - "type": "object", - "properties": { - "downloadedTime": { - "description": "downloadedTime is an optional time when the last Insights report was downloaded. An empty value means that there has not been any Insights report downloaded yet and it usually appears in disconnected clusters (or clusters when the Insights data gathering is disabled).", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" - }, - "healthChecks": { - "description": "healthChecks provides basic information about active Insights health checks in a cluster.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.HealthCheck" - }, - "x-kubernetes-list-map-keys": [ - "advisorURI", - "totalRisk", - "description" - ], - "x-kubernetes-list-type": "map" - }, - "uri": { - "description": "uri is optional field that provides the URL link from which the report was downloaded. The link must be a valid HTTPS URL and the maximum length is 2048 characters.", - "type": "string" - } - } - }, - "com.github.openshift.api.insights.v1alpha2.ObjectReference": { - "description": "ObjectReference contains enough information to let you inspect or modify the referred object.", - "type": "object", - "required": [ - "group", - "resource", - "name", - "namespace" - ], - "properties": { - "group": { - "description": "group is required field that specifies the API Group of the Resource. Enter empty string for the core group. This value is empty or it should follow the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start with an alphabetic character and end with an alphanumeric character. Example: \"\", \"apps\", \"build.openshift.io\", etc.", - "type": "string", - "default": "" - }, - "name": { - "description": "name is required field that specifies the referent that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start with an alphabetic character and end with an alphanumeric character..", - "type": "string", - "default": "" - }, - "namespace": { - "description": "namespace if required field of the referent that follows the DNS1123 labels format. It must be at most 63 characters in length, and must must consist of only lowercase alphanumeric characters and hyphens, and must start with an alphabetic character and end with an alphanumeric character.", - "type": "string", - "default": "" - }, - "resource": { - "description": "resource is required field of the type that is being referenced and follows the DNS1035 format. It is normally the plural form of the resource kind in lowercase. It must be at most 63 characters in length, and must must consist of only lowercase alphanumeric characters and hyphens, and must start with an alphabetic character and end with an alphanumeric character. Example: \"deployments\", \"deploymentconfigs\", \"pods\", etc.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.insights.v1alpha2.PersistentVolumeClaimReference": { - "description": "persistentVolumeClaimReference is a reference to a PersistentVolumeClaim.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "name is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.insights.v1alpha2.PersistentVolumeConfig": { - "description": "persistentVolumeConfig provides configuration options for PersistentVolume storage.", - "type": "object", - "required": [ - "claim" - ], - "properties": { - "claim": { - "description": "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.PersistentVolumeClaimReference" - }, - "mountPath": { - "description": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", - "type": "string" - } - } - }, - "com.github.openshift.api.insights.v1alpha2.Storage": { - "description": "storage provides persistent storage configuration options for gathering jobs. If the type is set to PersistentVolume, then the PersistentVolume must be defined. If the type is set to Ephemeral, then the PersistentVolume must not be defined.", - "type": "object", - "required": [ - "type" - ], - "properties": { - "persistentVolume": { - "description": "persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. The PersistentVolume must be created in the openshift-insights namespace.", - "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.PersistentVolumeConfig" - }, - "type": { - "description": "type is a required field that specifies the type of storage that will be used to store the Insights data archive. Valid values are \"PersistentVolume\" and \"Ephemeral\". When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the PersistentVolume field.", - "type": "string", - "default": "" - } - }, - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "persistentVolume": "PersistentVolume" - } - } - ] - }, "com.github.openshift.api.kubecontrolplane.v1.AggregatorConfig": { "description": "AggregatorConfig holds information required to make the aggregator function.", "type": "object", @@ -19886,7 +18959,7 @@ ], "properties": { "accessTokenInactivityTimeoutSeconds": { - "description": "accessTokenInactivityTimeoutSeconds defined the default token inactivity timeout for tokens granted by any client. Setting it to nil means the feature is completely disabled (default) The default setting can be overridden on OAuthClient basis. The value represents the maximum amount of time that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. The user will need to acquire a new token to regain access once a token times out. Valid values are: - 0: Tokens never time out - X: Tokens time out if there is no activity for X seconds The current minimum allowed value for X is 300 (5 minutes)", + "description": "accessTokenInactivityTimeoutSeconds defined the default token inactivity timeout for tokens granted by any client. Setting it to nil means the feature is completely disabled (default) The default setting can be overriden on OAuthClient basis. The value represents the maximum amount of time that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. The user will need to acquire a new token to regain access once a token times out. Valid values are: - 0: Tokens never time out - X: Tokens time out if there is no activity for X seconds The current minimum allowed value for X is 300 (5 minutes)", "type": "integer", "format": "int32" }, @@ -20505,8 +19578,7 @@ "properties": { "machineType": { "description": "machineType determines the type of Machines that should be managed by the ControlPlaneMachineSet. Currently, the only valid value is machines_v1beta1_machine_openshift_io.", - "type": "string", - "default": "" + "type": "string" }, "machines_v1beta1_machine_openshift_io": { "description": "OpenShiftMachineV1Beta1Machine defines the template for creating Machines from the v1beta1.machine.openshift.io API group.", @@ -21023,8 +20095,7 @@ "properties": { "adapterType": { "description": "adapterType is the adapter type of the disk address. If the deviceType is \"Disk\", the valid adapterType can be \"SCSI\", \"IDE\", \"PCI\", \"SATA\" or \"SPAPR\". If the deviceType is \"CDRom\", the valid adapterType can be \"IDE\" or \"SATA\".", - "type": "string", - "default": "" + "type": "string" }, "deviceIndex": { "description": "deviceIndex is the index of the disk address. The valid values are non-negative integers, with the default value 0. For a Machine VM, the deviceIndex for the disks with the same deviceType.adapterType combination should start from 0 and increase consecutively afterwards. Note that for each Machine VM, the Disk.SCSI.0 and CDRom.IDE.0 are reserved to be used by the VM's system. So for dataDisks of Disk.SCSI and CDRom.IDE, the deviceIndex should start from 1.", @@ -21074,7 +20145,7 @@ "$ref": "#/definitions/com.github.openshift.api.machine.v1.ControlPlaneMachineSetTemplateObjectMeta" }, "spec": { - "description": "spec contains the desired configuration of the Control Plane Machines. The ProviderSpec within contains platform specific details for creating the Control Plane Machines. The ProviderSe should be complete apart from the platform specific failure domain field. This will be overridden when the Machines are created based on the FailureDomains field.", + "description": "spec contains the desired configuration of the Control Plane Machines. The ProviderSpec within contains platform specific details for creating the Control Plane Machines. The ProviderSe should be complete apart from the platform specific failure domain field. This will be overriden when the Machines are created based on the FailureDomains field.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.MachineSpec" } @@ -22589,8 +21660,7 @@ "lun": { "description": "lun Specifies the logical unit number of the data disk. This value is used to identify data disks within the VM and therefore must be unique for each data disk attached to a VM. This value is also needed for referencing the data disks devices within userdata to perform disk initialization through Ignition (e.g. partition/format/mount). The value must be between 0 and 63.", "type": "integer", - "format": "int32", - "default": 0 + "format": "int32" }, "managedDisk": { "description": "managedDisk specifies the Managed Disk parameters for the data disk. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is a ManagedDisk with with storageAccountType: \"Premium_LRS\" and diskEncryptionSet.id: \"Default\".", @@ -22647,7 +21717,7 @@ "type": "object", "properties": { "deleteOnTermination": { - "description": "Indicates whether the EBS volume is deleted on machine termination.\n\nDeprecated: setting this field has no effect.", + "description": "Indicates whether the EBS volume is deleted on machine termination.", "type": "boolean" }, "encrypted": { @@ -23318,7 +22388,7 @@ ], "properties": { "maxUnhealthy": { - "description": "Any farther remediation is only allowed if at most \"MaxUnhealthy\" machines selected by \"selector\" are not healthy. Expects either a postive integer value or a percentage value. Percentage values must be positive whole numbers and are capped at 100%. Both 0 and 0% are valid and will block all remediation. Defaults to 100% if not set.", + "description": "Any farther remediation is only allowed if at most \"MaxUnhealthy\" machines selected by \"selector\" are not healthy. Expects either a postive integer value or a percentage value. Percentage values must be positive whole numbers and are capped at 100%. Both 0 and 0% are valid and will block all remediation.", "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString" }, "nodeStartupTimeout": { @@ -23347,6 +22417,10 @@ "com.github.openshift.api.machine.v1beta1.MachineHealthCheckStatus": { "description": "MachineHealthCheckStatus defines the observed state of MachineHealthCheck", "type": "object", + "required": [ + "expectedMachines", + "currentHealthy" + ], "properties": { "conditions": { "description": "conditions defines the current state of the MachineHealthCheck", @@ -23504,6 +22578,9 @@ "com.github.openshift.api.machine.v1beta1.MachineSetStatus": { "description": "MachineSetStatus defines the observed state of MachineSet", "type": "object", + "required": [ + "replicas" + ], "properties": { "authoritativeAPI": { "description": "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.", @@ -23933,8 +23010,7 @@ }, "securityType": { "description": "securityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UEFISettings. The default behavior is: UEFISettings will not be enabled unless this property is set.", - "type": "string", - "default": "" + "type": "string" }, "trustedLaunch": { "description": "trustedLaunch specifies the security configuration of the virtual machine. For more information regarding TrustedLaunch for VMs, please refer to: https://learn.microsoft.com/azure/virtual-machines/trusted-launch", @@ -24243,6 +23319,95 @@ } } }, + "com.github.openshift.api.machineconfiguration.v1alpha1.BuildInputs": { + "description": "BuildInputs holds all of the information needed to trigger a build", + "type": "object", + "required": [ + "baseImagePullSecret", + "imageBuilder", + "renderedImagePushSecret", + "renderedImagePushspec" + ], + "properties": { + "baseImagePullSecret": { + "description": "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.ImageSecretObjectReference" + }, + "baseOSExtensionsImagePullspec": { + "description": "baseOSExtensionsImagePullspec is the base Extensions image used in the build process the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", + "type": "string" + }, + "baseOSImagePullspec": { + "description": "baseOSImagePullspec is the base OSImage we use to build our custom image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", + "type": "string" + }, + "containerFile": { + "description": "containerFile describes the custom data the user has specified to build into the image. this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSContainerfile" + }, + "x-kubernetes-list-map-keys": [ + "containerfileArch" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "containerfileArch", + "x-kubernetes-patch-strategy": "merge" + }, + "imageBuilder": { + "description": "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig", + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSImageBuilder" + }, + "releaseVersion": { + "description": "releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the dockerfile that builds the OS image.", + "type": "string" + }, + "renderedImagePushSecret": { + "description": "renderedImagePushSecret is the secret used to connect to a user registry. the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them will only need to pull the image in order to use it.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.ImageSecretObjectReference" + }, + "renderedImagePushspec": { + "description": "renderedImagePushspec describes the location of the final image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.BuildOutputs": { + "description": "BuildOutputs holds all information needed to handle booting the image after a build", + "type": "object", + "properties": { + "currentImagePullSecret": { + "description": "currentImagePullSecret is the secret used to pull the final produced image. must live in the openshift-machine-config-operator namespace the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.ImageSecretObjectReference" + } + }, + "x-kubernetes-unions": [ + { + "fields-to-discriminateBy": { + "currentImagePullSecret": "CurrentImagePullSecret" + } + } + ] + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.ImageSecretObjectReference": { + "description": "Refers to the name of an image registry push/pull secret needed in the build process.", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "description": "name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace.", + "type": "string", + "default": "" + } + } + }, "com.github.openshift.api.machineconfiguration.v1alpha1.MCOObjectReference": { "description": "MCOObjectReference holds information about an object the MCO either owns or modifies in some way", "type": "object", @@ -24451,6 +23616,381 @@ } } }, + "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigPoolReference": { + "description": "Refers to the name of a MachineConfigPool (e.g., \"worker\", \"infra\", etc.): the MachineOSBuilder pod validates that the user has provided a valid pool", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "description": "name of the MachineConfigPool object.", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuild": { + "description": "MachineOSBuild describes a build process managed and deployed by the MCO Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "type": "object", + "required": [ + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "spec describes the configuration of the machine os build", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuildSpec" + }, + "status": { + "description": "status describes the lst observed state of this machine os build", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuildStatus" + } + } + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuildList": { + "description": "MachineOSBuildList describes all of the Builds on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "type": "object", + "required": [ + "metadata", + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuild" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuildSpec": { + "description": "MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object.", + "type": "object", + "required": [ + "configGeneration", + "desiredConfig", + "machineOSConfig", + "version", + "renderedImagePushspec" + ], + "properties": { + "configGeneration": { + "description": "configGeneration tracks which version of MachineOSConfig this build is based off of", + "type": "integer", + "format": "int64", + "default": 0 + }, + "desiredConfig": { + "description": "desiredConfig is the desired config we want to build an image for.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.RenderedMachineConfigReference" + }, + "machineOSConfig": { + "description": "machineOSConfig is the config object which the build is based off of", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigReference" + }, + "renderedImagePushspec": { + "description": "renderedImagePushspec is set from the MachineOSConfig The format of the image pullspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", + "type": "string", + "default": "" + }, + "version": { + "description": "version tracks the newest MachineOSBuild for each MachineOSConfig", + "type": "integer", + "format": "int64", + "default": 0 + } + } + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuildStatus": { + "description": "MachineOSBuildStatus describes the state of a build and other helpful information.", + "type": "object", + "required": [ + "buildStart" + ], + "properties": { + "buildEnd": { + "description": "buildEnd describes when the build ended.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + }, + "buildStart": { + "description": "buildStart describes when the build started.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + }, + "builderReference": { + "description": "ImageBuilderType describes the image builder set in the MachineOSConfig", + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuilderReference" + }, + "conditions": { + "description": "conditions are state related conditions for the build. Valid types are: Prepared, Building, Failed, Interrupted, and Succeeded once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "finalImagePullspec": { + "description": "finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must be in sha format.", + "type": "string" + }, + "relatedObjects": { + "description": "relatedObjects is a list of objects that are related to the build process.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.ObjectReference" + } + } + } + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuilderReference": { + "description": "MachineOSBuilderReference describes which ImageBuilder backend to use for this build/", + "type": "object", + "required": [ + "imageBuilderType" + ], + "properties": { + "buildPod": { + "description": "relatedObjects is a list of objects that are related to the build process.", + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.ObjectReference" + }, + "imageBuilderType": { + "description": "imageBuilderType describes the image builder set in the MachineOSConfig", + "type": "string", + "default": "" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "imageBuilderType", + "fields-to-discriminateBy": { + "buildPod": "PodImageBuilder" + } + } + ] + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfig": { + "description": "MachineOSConfig describes the configuration for a build process managed by the MCO Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "type": "object", + "required": [ + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "spec describes the configuration of the machineosconfig", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigSpec" + }, + "status": { + "description": "status describes the status of the machineosconfig", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigStatus" + } + } + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigList": { + "description": "MachineOSConfigList describes all configurations for image builds on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "type": "object", + "required": [ + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfig" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigReference": { + "description": "MachineOSConfigReference refers to the MachineOSConfig this build is based off of", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "description": "name of the MachineOSConfig", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigSpec": { + "description": "MachineOSConfigSpec describes user-configurable options as well as information about a build process.", + "type": "object", + "required": [ + "machineConfigPool", + "buildInputs" + ], + "properties": { + "buildInputs": { + "description": "buildInputs is where user input options for the build live", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.BuildInputs" + }, + "buildOutputs": { + "description": "buildOutputs is where user input options for the build live", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.BuildOutputs" + }, + "machineConfigPool": { + "description": "machineConfigPool is the pool which the build is for", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigPoolReference" + } + } + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigStatus": { + "description": "MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig", + "type": "object", + "required": [ + "observedGeneration" + ], + "properties": { + "conditions": { + "description": "conditions are state related conditions for the config.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "currentImagePullspec": { + "description": "currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256.", + "type": "string" + }, + "observedGeneration": { + "description": "observedGeneration represents the generation observed by the controller. this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with.", + "type": "integer", + "format": "int64" + } + } + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSContainerfile": { + "description": "MachineOSContainerfile contains all custom content the user wants built into the image", + "type": "object", + "required": [ + "content" + ], + "properties": { + "containerfileArch": { + "description": "containerfileArch describes the architecture this containerfile is to be built for this arch is optional. If the user does not specify an architecture, it is assumed that the content can be applied to all architectures, or in a single arch cluster: the only architecture.", + "type": "string", + "default": "" + }, + "content": { + "description": "content is the custom content to be built", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSImageBuilder": { + "type": "object", + "required": [ + "imageBuilderType" + ], + "properties": { + "imageBuilderType": { + "description": "imageBuilderType specifies the backend to be used to build the image. Valid options are: PodImageBuilder", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.machineconfiguration.v1alpha1.ObjectReference": { + "description": "ObjectReference contains enough information to let you inspect or modify the referred object.", + "type": "object", + "required": [ + "group", + "resource", + "name" + ], + "properties": { + "group": { + "description": "group of the referent.", + "type": "string", + "default": "" + }, + "name": { + "description": "name of the referent.", + "type": "string", + "default": "" + }, + "namespace": { + "description": "namespace of the referent.", + "type": "string" + }, + "resource": { + "description": "resource of the referent.", + "type": "string", + "default": "" + } + } + }, "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageRef": { "type": "object", "required": [ @@ -24564,6 +24104,20 @@ } } }, + "com.github.openshift.api.machineconfiguration.v1alpha1.RenderedMachineConfigReference": { + "description": "Refers to the name of a rendered MachineConfig (e.g., \"rendered-worker-ec40d2965ff81bce7cd7a7e82a680739\", etc.): the build targets this MachineConfig, this is often used to tell us whether we need an update.", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "description": "name is the name of the rendered MachineConfig object.", + "type": "string", + "default": "" + } + } + }, "com.github.openshift.api.monitoring.v1.AlertRelabelConfig": { "description": "AlertRelabelConfig defines a set of relabel configs for alerts.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", @@ -26581,6 +26135,7 @@ "description": "Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", "required": [ + "kubeClientConfig", "servingInfo", "leaderElection", "controllers", @@ -26641,6 +26196,10 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, + "kubeClientConfig": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.KubeClientConfig" + }, "leaderElection": { "description": "leaderElection defines the configuration for electing a controller instance to make changes to the cluster. If unspecified, the ControllerTTL value is checked to determine whether the legacy direct etcd election code will be used.", "default": {}, @@ -27182,6 +26741,9 @@ }, "com.github.openshift.api.operator.v1.AuthenticationStatus": { "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -27413,6 +26975,9 @@ "com.github.openshift.api.operator.v1.CSISnapshotControllerStatus": { "description": "CSISnapshotControllerStatus defines the observed status of the CSISnapshotController operator.", "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -27629,6 +27194,9 @@ "com.github.openshift.api.operator.v1.CloudCredentialStatus": { "description": "CloudCredentialStatus defines the observed status of the cloud-credential-operator.", "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -27782,6 +27350,9 @@ "com.github.openshift.api.operator.v1.ClusterCSIDriverStatus": { "description": "ClusterCSIDriverStatus is the observed status of CSI driver operator", "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -27964,6 +27535,9 @@ }, "com.github.openshift.api.operator.v1.ConfigStatus": { "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -28244,6 +27818,9 @@ "com.github.openshift.api.operator.v1.ConsoleStatus": { "description": "ConsoleStatus defines the observed status of the Console.", "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -28833,6 +28410,10 @@ }, "com.github.openshift.api.operator.v1.EtcdStatus": { "type": "object", + "required": [ + "readyReplicas", + "controlPlaneHardwareSpeed" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -29352,7 +28933,7 @@ "type": "object", "properties": { "internalMasqueradeSubnet": { - "description": "internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /29). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 169.254.0.0/17 The value must be in proper IPV4 CIDR format", + "description": "internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /29). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 169.254.169.0/29 The value must be in proper IPV4 CIDR format", "type": "string" } } @@ -29361,11 +28942,11 @@ "type": "object", "properties": { "internalJoinSubnet": { - "description": "internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The current default value is 100.64.0.0/16 The subnet must be large enough to accommodate one IP per node in your cluster The value must be in proper IPV4 CIDR format", + "description": "internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. The current default value is 100.64.0.0/16 The subnet must be large enough to accomadate one IP per node in your cluster The value must be in proper IPV4 CIDR format", "type": "string" }, "internalTransitSwitchSubnet": { - "description": "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 100.88.0.0/16 The subnet must be large enough to accommodate one IP per node in your cluster The value must be in proper IPV4 CIDR format", + "description": "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. The value cannot be changed after installation. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 100.88.0.0/16 The subnet must be large enough to accomadate one IP per node in your cluster The value must be in proper IPV4 CIDR format", "type": "string" } } @@ -29375,7 +28956,7 @@ "type": "object", "properties": { "internalMasqueradeSubnet": { - "description": "internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /125). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is fd69::/112 Note that IPV6 dual addresses are not permitted", + "description": "internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /125). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is fd69::/125 Note that IPV6 dual addresses are not permitted", "type": "string" } } @@ -29384,11 +28965,11 @@ "type": "object", "properties": { "internalJoinSubnet": { - "description": "internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The subnet must be large enough to accommodate one IP per node in your cluster The current default value is fd98::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", + "description": "internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. The subnet must be large enough to accomadate one IP per node in your cluster The current default value is fd98::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", "type": "string" }, "internalTransitSwitchSubnet": { - "description": "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The subnet must be large enough to accommodate one IP per node in your cluster The current default subnet is fd97::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", + "description": "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. The value cannot be changed after installation. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The subnet must be large enough to accomadate one IP per node in your cluster The current default subnet is fd97::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", "type": "string" } } @@ -29448,8 +29029,7 @@ "properties": { "matchType": { "description": "matchType specifies the type of match to be performed on the cookie name. Allowed values are \"Exact\" for an exact string match and \"Prefix\" for a string prefix match. If \"Exact\" is specified, a name must be specified in the name field. If \"Prefix\" is provided, a prefix must be specified in the namePrefix field. For example, specifying matchType \"Prefix\" and namePrefix \"foo\" will capture a cookie named \"foo\" or \"foobar\" but not one named \"bar\". The first matching cookie is captured.", - "type": "string", - "default": "" + "type": "string" }, "maxLength": { "description": "maxLength specifies a maximum length of the string that will be logged, which includes the cookie name, cookie value, and one-character delimiter. If the log entry exceeds this length, the value will be truncated in the log message. Note that the ingress controller may impose a separate bound on the total length of HTTP headers in a request.", @@ -29487,8 +29067,7 @@ "properties": { "matchType": { "description": "matchType specifies the type of match to be performed on the cookie name. Allowed values are \"Exact\" for an exact string match and \"Prefix\" for a string prefix match. If \"Exact\" is specified, a name must be specified in the name field. If \"Prefix\" is provided, a prefix must be specified in the namePrefix field. For example, specifying matchType \"Prefix\" and namePrefix \"foo\" will capture a cookie named \"foo\" or \"foobar\" but not one named \"bar\". The first matching cookie is captured.", - "type": "string", - "default": "" + "type": "string" }, "name": { "description": "name specifies a cookie name. Its value must be a valid HTTP cookie name as defined in RFC 6265 section 4.1.", @@ -29815,6 +29394,11 @@ "com.github.openshift.api.operator.v1.IngressControllerStatus": { "description": "IngressControllerStatus defines the observed status of the IngressController.", "type": "object", + "required": [ + "availableReplicas", + "selector", + "domain" + ], "properties": { "availableReplicas": { "description": "availableReplicas is number of observed available replicas according to the ingress controller deployment.", @@ -30023,6 +29607,9 @@ }, "com.github.openshift.api.operator.v1.InsightsOperatorStatus": { "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -30102,21 +29689,6 @@ } } }, - "com.github.openshift.api.operator.v1.IrreconcilableValidationOverrides": { - "description": "IrreconcilableValidationOverrides holds the irreconcilable validations overrides to be applied on each rendered MachineConfig generation.", - "type": "object", - "properties": { - "storage": { - "description": "storage can be used to allow making irreconcilable changes to the selected sections under the `spec.config.storage` field of MachineConfig CRs It must have at least one item, may not exceed 3 items and must not contain duplicates. Allowed element values are \"Disks\", \"FileSystems\", \"Raid\" and omitted. When contains \"Disks\" changes to the `spec.config.storage.disks` section of MachineConfig CRs are allowed. When contains \"FileSystems\" changes to the `spec.config.storage.filesystems` section of MachineConfig CRs are allowed. When contains \"Raid\" changes to the `spec.config.storage.raid` section of MachineConfig CRs are allowed. When omitted changes to the `spec.config.storage` section are forbidden.", - "type": "array", - "items": { - "type": "string", - "default": "" - }, - "x-kubernetes-list-type": "set" - } - } - }, "com.github.openshift.api.operator.v1.KubeAPIServer": { "description": "KubeAPIServer provides information to configure an operator to manage kube-apiserver.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", @@ -30228,6 +29800,9 @@ }, "com.github.openshift.api.operator.v1.KubeAPIServerStatus": { "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -30409,193 +29984,199 @@ "unsupportedConfigOverrides": { "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" - }, - "useMoreSecureServiceCA": { - "description": "useMoreSecureServiceCA indicates that the service-ca.crt provided in SA token volumes should include only enough certificates to validate service serving certificates. Once set to true, it cannot be set to false. Even if someone finds a way to set it back to false, the service-ca.crt files that previously existed will only have the more secure content.", - "type": "boolean", - "default": false + }, + "useMoreSecureServiceCA": { + "description": "useMoreSecureServiceCA indicates that the service-ca.crt provided in SA token volumes should include only enough certificates to validate service serving certificates. Once set to true, it cannot be set to false. Even if someone finds a way to set it back to false, the service-ca.crt files that previously existed will only have the more secure content.", + "type": "boolean", + "default": false + } + } + }, + "com.github.openshift.api.operator.v1.KubeControllerManagerStatus": { + "type": "object", + "required": [ + "readyReplicas" + ], + "properties": { + "conditions": { + "description": "conditions is a list of conditions and their status", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.OperatorCondition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "generations": { + "description": "generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.GenerationStatus" + }, + "x-kubernetes-list-map-keys": [ + "group", + "resource", + "namespace", + "name" + ], + "x-kubernetes-list-type": "map" + }, + "latestAvailableRevision": { + "description": "latestAvailableRevision is the deploymentID of the most recent deployment", + "type": "integer", + "format": "int32" + }, + "latestAvailableRevisionReason": { + "description": "latestAvailableRevisionReason describe the detailed reason for the most recent deployment", + "type": "string" + }, + "nodeStatuses": { + "description": "nodeStatuses track the deployment values and errors across individual nodes", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.NodeStatus" + }, + "x-kubernetes-list-map-keys": [ + "nodeName" + ], + "x-kubernetes-list-type": "map" + }, + "observedGeneration": { + "description": "observedGeneration is the last generation change you've dealt with", + "type": "integer", + "format": "int64" + }, + "readyReplicas": { + "description": "readyReplicas indicates how many replicas are ready and at the desired state", + "type": "integer", + "format": "int32", + "default": 0 + }, + "version": { + "description": "version is the level this availability applies to", + "type": "string" + } + } + }, + "com.github.openshift.api.operator.v1.KubeScheduler": { + "description": "KubeScheduler provides information to configure an operator to manage scheduler.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "metadata", + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "spec is the specification of the desired behavior of the Kubernetes Scheduler", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.KubeSchedulerSpec" + }, + "status": { + "description": "status is the most recently observed status of the Kubernetes Scheduler", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.KubeSchedulerStatus" + } + } + }, + "com.github.openshift.api.operator.v1.KubeSchedulerList": { + "description": "KubeSchedulerList is a collection of items\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "metadata", + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "items contains the items", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.KubeScheduler" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.operator.v1.KubeSchedulerSpec": { + "type": "object", + "required": [ + "managementState", + "forceRedeploymentReason" + ], + "properties": { + "failedRevisionLimit": { + "description": "failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api -1 = unlimited, 0 or unset = 5 (default)", + "type": "integer", + "format": "int32" + }, + "forceRedeploymentReason": { + "description": "forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work this time instead of failing again on the same config.", + "type": "string", + "default": "" + }, + "logLevel": { + "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", + "type": "string" + }, + "managementState": { + "description": "managementState indicates whether and how the operator should manage the component", + "type": "string", + "default": "" + }, + "observedConfig": { + "description": "observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because it is an input to the level for the operator", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" + }, + "operatorLogLevel": { + "description": "operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", + "type": "string" + }, + "succeededRevisionLimit": { + "description": "succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api -1 = unlimited, 0 or unset = 5 (default)", + "type": "integer", + "format": "int32" + }, + "unsupportedConfigOverrides": { + "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" } } }, - "com.github.openshift.api.operator.v1.KubeControllerManagerStatus": { - "type": "object", - "properties": { - "conditions": { - "description": "conditions is a list of conditions and their status", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.OperatorCondition" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "generations": { - "description": "generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.GenerationStatus" - }, - "x-kubernetes-list-map-keys": [ - "group", - "resource", - "namespace", - "name" - ], - "x-kubernetes-list-type": "map" - }, - "latestAvailableRevision": { - "description": "latestAvailableRevision is the deploymentID of the most recent deployment", - "type": "integer", - "format": "int32" - }, - "latestAvailableRevisionReason": { - "description": "latestAvailableRevisionReason describe the detailed reason for the most recent deployment", - "type": "string" - }, - "nodeStatuses": { - "description": "nodeStatuses track the deployment values and errors across individual nodes", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.NodeStatus" - }, - "x-kubernetes-list-map-keys": [ - "nodeName" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "observedGeneration is the last generation change you've dealt with", - "type": "integer", - "format": "int64" - }, - "readyReplicas": { - "description": "readyReplicas indicates how many replicas are ready and at the desired state", - "type": "integer", - "format": "int32", - "default": 0 - }, - "version": { - "description": "version is the level this availability applies to", - "type": "string" - } - } - }, - "com.github.openshift.api.operator.v1.KubeScheduler": { - "description": "KubeScheduler provides information to configure an operator to manage scheduler.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "description": "spec is the specification of the desired behavior of the Kubernetes Scheduler", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.KubeSchedulerSpec" - }, - "status": { - "description": "status is the most recently observed status of the Kubernetes Scheduler", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.KubeSchedulerStatus" - } - } - }, - "com.github.openshift.api.operator.v1.KubeSchedulerList": { - "description": "KubeSchedulerList is a collection of items\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items contains the items", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.KubeScheduler" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - } - }, - "com.github.openshift.api.operator.v1.KubeSchedulerSpec": { + "com.github.openshift.api.operator.v1.KubeSchedulerStatus": { "type": "object", "required": [ - "managementState", - "forceRedeploymentReason" + "readyReplicas" ], - "properties": { - "failedRevisionLimit": { - "description": "failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api -1 = unlimited, 0 or unset = 5 (default)", - "type": "integer", - "format": "int32" - }, - "forceRedeploymentReason": { - "description": "forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work this time instead of failing again on the same config.", - "type": "string", - "default": "" - }, - "logLevel": { - "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", - "type": "string" - }, - "managementState": { - "description": "managementState indicates whether and how the operator should manage the component", - "type": "string", - "default": "" - }, - "observedConfig": { - "description": "observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because it is an input to the level for the operator", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" - }, - "operatorLogLevel": { - "description": "operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", - "type": "string" - }, - "succeededRevisionLimit": { - "description": "succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api -1 = unlimited, 0 or unset = 5 (default)", - "type": "integer", - "format": "int32" - }, - "unsupportedConfigOverrides": { - "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" - } - } - }, - "com.github.openshift.api.operator.v1.KubeSchedulerStatus": { - "type": "object", "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -30755,6 +30336,9 @@ }, "com.github.openshift.api.operator.v1.KubeStorageVersionMigratorStatus": { "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -31014,11 +30598,6 @@ "type": "string", "default": "" }, - "irreconcilableValidationOverrides": { - "description": "irreconcilableValidationOverrides is an optional field that can used to make changes to a MachineConfig that cannot be applied to existing nodes. When specified, the fields configured with validation overrides will no longer reject changes to those respective fields due to them not being able to be applied to existing nodes. Only newly provisioned nodes will have these configurations applied. Existing nodes will report observed configuration differences in their MachineConfigNode status.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.IrreconcilableValidationOverrides" - }, "logLevel": { "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", "type": "string" @@ -31221,6 +30800,9 @@ }, "com.github.openshift.api.operator.v1.MyOperatorResourceStatus": { "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -31467,6 +31049,9 @@ "com.github.openshift.api.operator.v1.NetworkStatus": { "description": "NetworkStatus is detailed operator status, which is distilled up to the Network clusteroperator object.", "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -31979,6 +31564,9 @@ }, "com.github.openshift.api.operator.v1.OLMStatus": { "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -32080,11 +31668,11 @@ "type": "string" }, "v4InternalSubnet": { - "description": "v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. Default is 100.64.0.0/16", + "description": "v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. Default is 100.64.0.0/16", "type": "string" }, "v6InternalSubnet": { - "description": "v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. Default is fd98::/64", + "description": "v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. Default is fd98::/64", "type": "string" } } @@ -32182,151 +31770,157 @@ } } }, - "com.github.openshift.api.operator.v1.OpenShiftAPIServerStatus": { - "type": "object", - "properties": { - "conditions": { - "description": "conditions is a list of conditions and their status", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.OperatorCondition" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "generations": { - "description": "generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.GenerationStatus" - }, - "x-kubernetes-list-map-keys": [ - "group", - "resource", - "namespace", - "name" - ], - "x-kubernetes-list-type": "map" - }, - "latestAvailableRevision": { - "description": "latestAvailableRevision is the deploymentID of the most recent deployment", - "type": "integer", - "format": "int32" - }, - "observedGeneration": { - "description": "observedGeneration is the last generation change you've dealt with", - "type": "integer", - "format": "int64" - }, - "readyReplicas": { - "description": "readyReplicas indicates how many replicas are ready and at the desired state", - "type": "integer", - "format": "int32", - "default": 0 - }, - "version": { - "description": "version is the level this availability applies to", - "type": "string" - } - } - }, - "com.github.openshift.api.operator.v1.OpenShiftControllerManager": { - "description": "OpenShiftControllerManager provides information to configure an operator to manage openshift-controller-manager.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.OpenShiftControllerManagerSpec" - }, - "status": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.OpenShiftControllerManagerStatus" - } - } - }, - "com.github.openshift.api.operator.v1.OpenShiftControllerManagerList": { - "description": "OpenShiftControllerManagerList is a collection of items\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items contains the items", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.OpenShiftControllerManager" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - } - }, - "com.github.openshift.api.operator.v1.OpenShiftControllerManagerSpec": { + "com.github.openshift.api.operator.v1.OpenShiftAPIServerStatus": { + "type": "object", + "required": [ + "readyReplicas" + ], + "properties": { + "conditions": { + "description": "conditions is a list of conditions and their status", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.OperatorCondition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "generations": { + "description": "generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.GenerationStatus" + }, + "x-kubernetes-list-map-keys": [ + "group", + "resource", + "namespace", + "name" + ], + "x-kubernetes-list-type": "map" + }, + "latestAvailableRevision": { + "description": "latestAvailableRevision is the deploymentID of the most recent deployment", + "type": "integer", + "format": "int32" + }, + "observedGeneration": { + "description": "observedGeneration is the last generation change you've dealt with", + "type": "integer", + "format": "int64" + }, + "readyReplicas": { + "description": "readyReplicas indicates how many replicas are ready and at the desired state", + "type": "integer", + "format": "int32", + "default": 0 + }, + "version": { + "description": "version is the level this availability applies to", + "type": "string" + } + } + }, + "com.github.openshift.api.operator.v1.OpenShiftControllerManager": { + "description": "OpenShiftControllerManager provides information to configure an operator to manage openshift-controller-manager.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "metadata", + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.OpenShiftControllerManagerSpec" + }, + "status": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.OpenShiftControllerManagerStatus" + } + } + }, + "com.github.openshift.api.operator.v1.OpenShiftControllerManagerList": { + "description": "OpenShiftControllerManagerList is a collection of items\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "metadata", + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "items contains the items", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.OpenShiftControllerManager" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.operator.v1.OpenShiftControllerManagerSpec": { + "type": "object", + "required": [ + "managementState" + ], + "properties": { + "logLevel": { + "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", + "type": "string" + }, + "managementState": { + "description": "managementState indicates whether and how the operator should manage the component", + "type": "string", + "default": "" + }, + "observedConfig": { + "description": "observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because it is an input to the level for the operator", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" + }, + "operatorLogLevel": { + "description": "operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", + "type": "string" + }, + "unsupportedConfigOverrides": { + "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" + } + } + }, + "com.github.openshift.api.operator.v1.OpenShiftControllerManagerStatus": { "type": "object", "required": [ - "managementState" + "readyReplicas" ], - "properties": { - "logLevel": { - "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", - "type": "string" - }, - "managementState": { - "description": "managementState indicates whether and how the operator should manage the component", - "type": "string", - "default": "" - }, - "observedConfig": { - "description": "observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because it is an input to the level for the operator", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" - }, - "operatorLogLevel": { - "description": "operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", - "type": "string" - }, - "unsupportedConfigOverrides": { - "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" - } - } - }, - "com.github.openshift.api.operator.v1.OpenShiftControllerManagerStatus": { - "type": "object", "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -32482,6 +32076,9 @@ }, "com.github.openshift.api.operator.v1.OperatorStatus": { "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -32976,6 +32573,9 @@ }, "com.github.openshift.api.operator.v1.ServiceCAStatus": { "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -33116,151 +32716,157 @@ } } }, - "com.github.openshift.api.operator.v1.ServiceCatalogAPIServerStatus": { - "type": "object", - "properties": { - "conditions": { - "description": "conditions is a list of conditions and their status", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.OperatorCondition" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "generations": { - "description": "generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.GenerationStatus" - }, - "x-kubernetes-list-map-keys": [ - "group", - "resource", - "namespace", - "name" - ], - "x-kubernetes-list-type": "map" - }, - "latestAvailableRevision": { - "description": "latestAvailableRevision is the deploymentID of the most recent deployment", - "type": "integer", - "format": "int32" - }, - "observedGeneration": { - "description": "observedGeneration is the last generation change you've dealt with", - "type": "integer", - "format": "int64" - }, - "readyReplicas": { - "description": "readyReplicas indicates how many replicas are ready and at the desired state", - "type": "integer", - "format": "int32", - "default": 0 - }, - "version": { - "description": "version is the level this availability applies to", - "type": "string" - } - } - }, - "com.github.openshift.api.operator.v1.ServiceCatalogControllerManager": { - "description": "ServiceCatalogControllerManager provides information to configure an operator to manage Service Catalog Controller Manager DEPRECATED: will be removed in 4.6\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerSpec" - }, - "status": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerStatus" - } - } - }, - "com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerList": { - "description": "ServiceCatalogControllerManagerList is a collection of items DEPRECATED: will be removed in 4.6\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items contains the items", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.ServiceCatalogControllerManager" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - } - }, - "com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerSpec": { + "com.github.openshift.api.operator.v1.ServiceCatalogAPIServerStatus": { + "type": "object", + "required": [ + "readyReplicas" + ], + "properties": { + "conditions": { + "description": "conditions is a list of conditions and their status", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.OperatorCondition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "generations": { + "description": "generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.GenerationStatus" + }, + "x-kubernetes-list-map-keys": [ + "group", + "resource", + "namespace", + "name" + ], + "x-kubernetes-list-type": "map" + }, + "latestAvailableRevision": { + "description": "latestAvailableRevision is the deploymentID of the most recent deployment", + "type": "integer", + "format": "int32" + }, + "observedGeneration": { + "description": "observedGeneration is the last generation change you've dealt with", + "type": "integer", + "format": "int64" + }, + "readyReplicas": { + "description": "readyReplicas indicates how many replicas are ready and at the desired state", + "type": "integer", + "format": "int32", + "default": 0 + }, + "version": { + "description": "version is the level this availability applies to", + "type": "string" + } + } + }, + "com.github.openshift.api.operator.v1.ServiceCatalogControllerManager": { + "description": "ServiceCatalogControllerManager provides information to configure an operator to manage Service Catalog Controller Manager DEPRECATED: will be removed in 4.6\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "metadata", + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerSpec" + }, + "status": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerStatus" + } + } + }, + "com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerList": { + "description": "ServiceCatalogControllerManagerList is a collection of items DEPRECATED: will be removed in 4.6\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "metadata", + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "items contains the items", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.ServiceCatalogControllerManager" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerSpec": { + "type": "object", + "required": [ + "managementState" + ], + "properties": { + "logLevel": { + "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", + "type": "string" + }, + "managementState": { + "description": "managementState indicates whether and how the operator should manage the component", + "type": "string", + "default": "" + }, + "observedConfig": { + "description": "observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because it is an input to the level for the operator", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" + }, + "operatorLogLevel": { + "description": "operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", + "type": "string" + }, + "unsupportedConfigOverrides": { + "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" + } + } + }, + "com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerStatus": { "type": "object", "required": [ - "managementState" + "readyReplicas" ], - "properties": { - "logLevel": { - "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", - "type": "string" - }, - "managementState": { - "description": "managementState indicates whether and how the operator should manage the component", - "type": "string", - "default": "" - }, - "observedConfig": { - "description": "observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because it is an input to the level for the operator", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" - }, - "operatorLogLevel": { - "description": "operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", - "type": "string" - }, - "unsupportedConfigOverrides": { - "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" - } - } - }, - "com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerStatus": { - "type": "object", "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -33472,6 +33078,9 @@ "com.github.openshift.api.operator.v1.StaticPodOperatorStatus": { "description": "StaticPodOperatorStatus is status for controllers that manage static pods. There are different needs because individual node status must be tracked.", "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -33651,6 +33260,9 @@ "com.github.openshift.api.operator.v1.StorageStatus": { "description": "StorageStatus defines the observed status of the cluster storage operator.", "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -34360,6 +33972,9 @@ }, "com.github.openshift.api.operator.v1alpha1.OLMStatus": { "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -35935,6 +35550,130 @@ } } }, + "com.github.openshift.api.platform.v1alpha1.ActiveBundleDeployment": { + "description": "ActiveBundleDeployment references a BundleDeployment resource.", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "description": "name is the metadata.name of the referenced BundleDeployment object.", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.platform.v1alpha1.Package": { + "description": "Package contains fields to configure which OLM package this PlatformOperator will install", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "description": "name contains the desired OLM-based Operator package name that is defined in an existing CatalogSource resource in the cluster.\n\nThis configured package will be managed with the cluster's lifecycle. In the current implementation, it will be retrieving this name from a list of supported operators out of the catalogs included with OpenShift.", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.platform.v1alpha1.PlatformOperator": { + "description": "PlatformOperator is the Schema for the PlatformOperators API.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "type": "object", + "required": [ + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.platform.v1alpha1.PlatformOperatorSpec" + }, + "status": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.platform.v1alpha1.PlatformOperatorStatus" + } + } + }, + "com.github.openshift.api.platform.v1alpha1.PlatformOperatorList": { + "description": "PlatformOperatorList contains a list of PlatformOperators\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "type": "object", + "required": [ + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.platform.v1alpha1.PlatformOperator" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.platform.v1alpha1.PlatformOperatorSpec": { + "description": "PlatformOperatorSpec defines the desired state of PlatformOperator.", + "type": "object", + "required": [ + "package" + ], + "properties": { + "package": { + "description": "package contains the desired package and its configuration for this PlatformOperator.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.platform.v1alpha1.Package" + } + } + }, + "com.github.openshift.api.platform.v1alpha1.PlatformOperatorStatus": { + "description": "PlatformOperatorStatus defines the observed state of PlatformOperator", + "type": "object", + "properties": { + "activeBundleDeployment": { + "description": "activeBundleDeployment is the reference to the BundleDeployment resource that's being managed by this PO resource. If this field is not populated in the status then it means the PlatformOperator has either not been installed yet or is failing to install.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.platform.v1alpha1.ActiveBundleDeployment" + }, + "conditions": { + "description": "conditions represent the latest available observations of a platform operator's current state.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + } + } + }, "com.github.openshift.api.project.v1.Project": { "description": "Projects are the unit of isolation and collaboration in OpenShift. A project has one or more members, a quota on the resources that the project may consume, and the security controls on the resources in the project. Within a project, members may have different roles - project administrators can set membership, editors can create and manage the resources, and viewers can see but not access running containers. In a normal cluster project administrators are not able to alter their quotas - that is restricted to cluster administrators.\n\nListing or watching projects will return only projects the user has the reader role on.\n\nAn OpenShift project is an alternative representation of a Kubernetes namespace. Projects are exposed as editable to end users while namespaces are not. Direct creation of a project is typically restricted to administrators, while end users should use the requestproject resource.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", @@ -36985,6 +36724,9 @@ "com.github.openshift.api.security.v1.PodSecurityPolicyReviewStatus": { "description": "PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.", "type": "object", + "required": [ + "allowedServiceAccounts" + ], "properties": { "allowedServiceAccounts": { "description": "allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec.", @@ -37649,6 +37391,9 @@ }, "com.github.openshift.api.servicecertsigner.v1alpha1.ServiceCertSignerOperatorConfigStatus": { "type": "object", + "required": [ + "readyReplicas" + ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -40210,77 +39955,6 @@ "default": {}, "$ref": "#/definitions/io.k8s.api.core.v1.ContainerState" }, - "stopSignal": { - "description": "StopSignal reports the effective stop signal for this container\n\nPossible enum values:\n - `\"SIGABRT\"`\n - `\"SIGALRM\"`\n - `\"SIGBUS\"`\n - `\"SIGCHLD\"`\n - `\"SIGCLD\"`\n - `\"SIGCONT\"`\n - `\"SIGFPE\"`\n - `\"SIGHUP\"`\n - `\"SIGILL\"`\n - `\"SIGINT\"`\n - `\"SIGIO\"`\n - `\"SIGIOT\"`\n - `\"SIGKILL\"`\n - `\"SIGPIPE\"`\n - `\"SIGPOLL\"`\n - `\"SIGPROF\"`\n - `\"SIGPWR\"`\n - `\"SIGQUIT\"`\n - `\"SIGRTMAX\"`\n - `\"SIGRTMAX-1\"`\n - `\"SIGRTMAX-10\"`\n - `\"SIGRTMAX-11\"`\n - `\"SIGRTMAX-12\"`\n - `\"SIGRTMAX-13\"`\n - `\"SIGRTMAX-14\"`\n - `\"SIGRTMAX-2\"`\n - `\"SIGRTMAX-3\"`\n - `\"SIGRTMAX-4\"`\n - `\"SIGRTMAX-5\"`\n - `\"SIGRTMAX-6\"`\n - `\"SIGRTMAX-7\"`\n - `\"SIGRTMAX-8\"`\n - `\"SIGRTMAX-9\"`\n - `\"SIGRTMIN\"`\n - `\"SIGRTMIN+1\"`\n - `\"SIGRTMIN+10\"`\n - `\"SIGRTMIN+11\"`\n - `\"SIGRTMIN+12\"`\n - `\"SIGRTMIN+13\"`\n - `\"SIGRTMIN+14\"`\n - `\"SIGRTMIN+15\"`\n - `\"SIGRTMIN+2\"`\n - `\"SIGRTMIN+3\"`\n - `\"SIGRTMIN+4\"`\n - `\"SIGRTMIN+5\"`\n - `\"SIGRTMIN+6\"`\n - `\"SIGRTMIN+7\"`\n - `\"SIGRTMIN+8\"`\n - `\"SIGRTMIN+9\"`\n - `\"SIGSEGV\"`\n - `\"SIGSTKFLT\"`\n - `\"SIGSTOP\"`\n - `\"SIGSYS\"`\n - `\"SIGTERM\"`\n - `\"SIGTRAP\"`\n - `\"SIGTSTP\"`\n - `\"SIGTTIN\"`\n - `\"SIGTTOU\"`\n - `\"SIGURG\"`\n - `\"SIGUSR1\"`\n - `\"SIGUSR2\"`\n - `\"SIGVTALRM\"`\n - `\"SIGWINCH\"`\n - `\"SIGXCPU\"`\n - `\"SIGXFSZ\"`", - "type": "string", - "enum": [ - "SIGABRT", - "SIGALRM", - "SIGBUS", - "SIGCHLD", - "SIGCLD", - "SIGCONT", - "SIGFPE", - "SIGHUP", - "SIGILL", - "SIGINT", - "SIGIO", - "SIGIOT", - "SIGKILL", - "SIGPIPE", - "SIGPOLL", - "SIGPROF", - "SIGPWR", - "SIGQUIT", - "SIGRTMAX", - "SIGRTMAX-1", - "SIGRTMAX-10", - "SIGRTMAX-11", - "SIGRTMAX-12", - "SIGRTMAX-13", - "SIGRTMAX-14", - "SIGRTMAX-2", - "SIGRTMAX-3", - "SIGRTMAX-4", - "SIGRTMAX-5", - "SIGRTMAX-6", - "SIGRTMAX-7", - "SIGRTMAX-8", - "SIGRTMAX-9", - "SIGRTMIN", - "SIGRTMIN+1", - "SIGRTMIN+10", - "SIGRTMIN+11", - "SIGRTMIN+12", - "SIGRTMIN+13", - "SIGRTMIN+14", - "SIGRTMIN+15", - "SIGRTMIN+2", - "SIGRTMIN+3", - "SIGRTMIN+4", - "SIGRTMIN+5", - "SIGRTMIN+6", - "SIGRTMIN+7", - "SIGRTMIN+8", - "SIGRTMIN+9", - "SIGSEGV", - "SIGSTKFLT", - "SIGSTOP", - "SIGSYS", - "SIGTERM", - "SIGTRAP", - "SIGTSTP", - "SIGTTIN", - "SIGTTOU", - "SIGURG", - "SIGUSR1", - "SIGUSR2", - "SIGVTALRM", - "SIGWINCH", - "SIGXCPU", - "SIGXFSZ" - ] - }, "user": { "description": "User represents user identity information initially attached to the first process of the container", "$ref": "#/definitions/io.k8s.api.core.v1.ContainerUser" @@ -40403,7 +40077,7 @@ } }, "io.k8s.api.core.v1.EndpointAddress": { - "description": "EndpointAddress is a tuple that describes single IP address. Deprecated: This API is deprecated in v1.33+.", + "description": "EndpointAddress is a tuple that describes single IP address.", "type": "object", "required": [ "ip" @@ -40430,7 +40104,7 @@ "x-kubernetes-map-type": "atomic" }, "io.k8s.api.core.v1.EndpointPort": { - "description": "EndpointPort is a tuple that describes a single port. Deprecated: This API is deprecated in v1.33+.", + "description": "EndpointPort is a tuple that describes a single port.", "type": "object", "required": [ "port" @@ -40463,7 +40137,7 @@ "x-kubernetes-map-type": "atomic" }, "io.k8s.api.core.v1.EndpointSubset": { - "description": "EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:\n\n\t{\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t}\n\nThe resulting set of endpoints can be viewed as:\n\n\ta: [ 10.10.1.1:8675, 10.10.2.2:8675 ],\n\tb: [ 10.10.1.1:309, 10.10.2.2:309 ]\n\nDeprecated: This API is deprecated in v1.33+.", + "description": "EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:\n\n\t{\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t}\n\nThe resulting set of endpoints can be viewed as:\n\n\ta: [ 10.10.1.1:8675, 10.10.2.2:8675 ],\n\tb: [ 10.10.1.1:309, 10.10.2.2:309 ]", "type": "object", "properties": { "addresses": { @@ -40496,7 +40170,7 @@ } }, "io.k8s.api.core.v1.Endpoints": { - "description": "Endpoints is a collection of endpoints that implement the actual service. Example:\n\n\t Name: \"mysvc\",\n\t Subsets: [\n\t {\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t },\n\t {\n\t Addresses: [{\"ip\": \"10.10.3.3\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 93}, {\"name\": \"b\", \"port\": 76}]\n\t },\n\t]\n\nEndpoints is a legacy API and does not contain information about all Service features. Use discoveryv1.EndpointSlice for complete information about Service endpoints.\n\nDeprecated: This API is deprecated in v1.33+. Use discoveryv1.EndpointSlice.", + "description": "Endpoints is a collection of endpoints that implement the actual service. Example:\n\n\t Name: \"mysvc\",\n\t Subsets: [\n\t {\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t },\n\t {\n\t Addresses: [{\"ip\": \"10.10.3.3\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 93}, {\"name\": \"b\", \"port\": 76}]\n\t },\n\t]", "type": "object", "properties": { "apiVersion": { @@ -40524,7 +40198,7 @@ } }, "io.k8s.api.core.v1.EndpointsList": { - "description": "EndpointsList is a list of endpoints. Deprecated: This API is deprecated in v1.33+.", + "description": "EndpointsList is a list of endpoints.", "type": "object", "required": [ "items" @@ -40554,7 +40228,7 @@ } }, "io.k8s.api.core.v1.EnvFromSource": { - "description": "EnvFromSource represents the source of a set of ConfigMaps or Secrets", + "description": "EnvFromSource represents the source of a set of ConfigMaps", "type": "object", "properties": { "configMapRef": { @@ -40562,7 +40236,7 @@ "$ref": "#/definitions/io.k8s.api.core.v1.ConfigMapEnvSource" }, "prefix": { - "description": "Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.", + "description": "An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.", "type": "string" }, "secretRef": { @@ -41689,77 +41363,6 @@ "preStop": { "description": "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod's termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks", "$ref": "#/definitions/io.k8s.api.core.v1.LifecycleHandler" - }, - "stopSignal": { - "description": "StopSignal defines which signal will be sent to a container when it is being stopped. If not specified, the default is defined by the container runtime in use. StopSignal can only be set for Pods with a non-empty .spec.os.name\n\nPossible enum values:\n - `\"SIGABRT\"`\n - `\"SIGALRM\"`\n - `\"SIGBUS\"`\n - `\"SIGCHLD\"`\n - `\"SIGCLD\"`\n - `\"SIGCONT\"`\n - `\"SIGFPE\"`\n - `\"SIGHUP\"`\n - `\"SIGILL\"`\n - `\"SIGINT\"`\n - `\"SIGIO\"`\n - `\"SIGIOT\"`\n - `\"SIGKILL\"`\n - `\"SIGPIPE\"`\n - `\"SIGPOLL\"`\n - `\"SIGPROF\"`\n - `\"SIGPWR\"`\n - `\"SIGQUIT\"`\n - `\"SIGRTMAX\"`\n - `\"SIGRTMAX-1\"`\n - `\"SIGRTMAX-10\"`\n - `\"SIGRTMAX-11\"`\n - `\"SIGRTMAX-12\"`\n - `\"SIGRTMAX-13\"`\n - `\"SIGRTMAX-14\"`\n - `\"SIGRTMAX-2\"`\n - `\"SIGRTMAX-3\"`\n - `\"SIGRTMAX-4\"`\n - `\"SIGRTMAX-5\"`\n - `\"SIGRTMAX-6\"`\n - `\"SIGRTMAX-7\"`\n - `\"SIGRTMAX-8\"`\n - `\"SIGRTMAX-9\"`\n - `\"SIGRTMIN\"`\n - `\"SIGRTMIN+1\"`\n - `\"SIGRTMIN+10\"`\n - `\"SIGRTMIN+11\"`\n - `\"SIGRTMIN+12\"`\n - `\"SIGRTMIN+13\"`\n - `\"SIGRTMIN+14\"`\n - `\"SIGRTMIN+15\"`\n - `\"SIGRTMIN+2\"`\n - `\"SIGRTMIN+3\"`\n - `\"SIGRTMIN+4\"`\n - `\"SIGRTMIN+5\"`\n - `\"SIGRTMIN+6\"`\n - `\"SIGRTMIN+7\"`\n - `\"SIGRTMIN+8\"`\n - `\"SIGRTMIN+9\"`\n - `\"SIGSEGV\"`\n - `\"SIGSTKFLT\"`\n - `\"SIGSTOP\"`\n - `\"SIGSYS\"`\n - `\"SIGTERM\"`\n - `\"SIGTRAP\"`\n - `\"SIGTSTP\"`\n - `\"SIGTTIN\"`\n - `\"SIGTTOU\"`\n - `\"SIGURG\"`\n - `\"SIGUSR1\"`\n - `\"SIGUSR2\"`\n - `\"SIGVTALRM\"`\n - `\"SIGWINCH\"`\n - `\"SIGXCPU\"`\n - `\"SIGXFSZ\"`", - "type": "string", - "enum": [ - "SIGABRT", - "SIGALRM", - "SIGBUS", - "SIGCHLD", - "SIGCLD", - "SIGCONT", - "SIGFPE", - "SIGHUP", - "SIGILL", - "SIGINT", - "SIGIO", - "SIGIOT", - "SIGKILL", - "SIGPIPE", - "SIGPOLL", - "SIGPROF", - "SIGPWR", - "SIGQUIT", - "SIGRTMAX", - "SIGRTMAX-1", - "SIGRTMAX-10", - "SIGRTMAX-11", - "SIGRTMAX-12", - "SIGRTMAX-13", - "SIGRTMAX-14", - "SIGRTMAX-2", - "SIGRTMAX-3", - "SIGRTMAX-4", - "SIGRTMAX-5", - "SIGRTMAX-6", - "SIGRTMAX-7", - "SIGRTMAX-8", - "SIGRTMAX-9", - "SIGRTMIN", - "SIGRTMIN+1", - "SIGRTMIN+10", - "SIGRTMIN+11", - "SIGRTMIN+12", - "SIGRTMIN+13", - "SIGRTMIN+14", - "SIGRTMIN+15", - "SIGRTMIN+2", - "SIGRTMIN+3", - "SIGRTMIN+4", - "SIGRTMIN+5", - "SIGRTMIN+6", - "SIGRTMIN+7", - "SIGRTMIN+8", - "SIGRTMIN+9", - "SIGSEGV", - "SIGSTKFLT", - "SIGSTOP", - "SIGSYS", - "SIGTERM", - "SIGTRAP", - "SIGTSTP", - "SIGTTIN", - "SIGTTOU", - "SIGURG", - "SIGUSR1", - "SIGUSR2", - "SIGVTALRM", - "SIGWINCH", - "SIGXCPU", - "SIGXFSZ" - ] } } }, @@ -42691,17 +42294,6 @@ } } }, - "io.k8s.api.core.v1.NodeSwapStatus": { - "description": "NodeSwapStatus represents swap memory information.", - "type": "object", - "properties": { - "capacity": { - "description": "Total amount of swap memory in bytes.", - "type": "integer", - "format": "int64" - } - } - }, "io.k8s.api.core.v1.NodeSystemInfo": { "description": "NodeSystemInfo is a set of ids/uuids to uniquely identify the node.", "type": "object", @@ -42763,10 +42355,6 @@ "type": "string", "default": "" }, - "swap": { - "description": "Swap Info reported by the node.", - "$ref": "#/definitions/io.k8s.api.core.v1.NodeSwapStatus" - }, "systemUUID": { "description": "SystemUUID reported by the node. For unique machine identification MachineID is preferred. This field is specific to Red Hat hosts https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid", "type": "string", @@ -43524,7 +43112,7 @@ "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" }, "matchLabelKeys": { - "description": "MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set.", + "description": "MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).", "type": "array", "items": { "type": "string", @@ -43533,7 +43121,7 @@ "x-kubernetes-list-type": "atomic" }, "mismatchLabelKeys": { - "description": "MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.", + "description": "MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).", "type": "array", "items": { "type": "string", @@ -43639,11 +43227,6 @@ "description": "Human-readable message indicating details about last transition.", "type": "string" }, - "observedGeneration": { - "description": "If set, this represents the .metadata.generation that the pod condition was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.", - "type": "integer", - "format": "int64" - }, "reason": { "description": "Unique, one-word, CamelCase reason for the condition's last transition.", "type": "string" @@ -44183,7 +43766,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainers": { - "description": "List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/", + "description": "List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/", "type": "array", "items": { "default": {}, @@ -44432,11 +44015,6 @@ "description": "nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be scheduled right away as preemption victims receive their graceful termination periods. This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to give the resources on this node to a higher priority pod that is created after preemption. As a result, this field may be different than PodSpec.nodeName when the pod is scheduled.", "type": "string" }, - "observedGeneration": { - "description": "If set, this represents the .metadata.generation that the pod status was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.", - "type": "integer", - "format": "int64" - }, "phase": { "description": "The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:\n\nPending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase\n\nPossible enum values:\n - `\"Failed\"` means that all containers in the pod have terminated, and at least one container has terminated in a failure (exited with a non-zero exit code or was stopped by the system).\n - `\"Pending\"` means the pod has been accepted by the system, but one or more of the containers has not been started. This includes time before being bound to a node, as well as time spent pulling images onto the host.\n - `\"Running\"` means the pod has been bound to a node and all of the containers have been started. At least one container is still running or is in the process of being restarted.\n - `\"Succeeded\"` means that all containers in the pod have voluntarily terminated with a container exit code of 0, and the system is not going to restart any of these containers.\n - `\"Unknown\"` means that for some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod. Deprecated: It isn't being set since 2015 (74da3b14b0c0f658b3bb8d2def5094686d0e9095)", "type": "string", @@ -44480,7 +44058,7 @@ "type": "string" }, "resize": { - "description": "Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to \"Proposed\" Deprecated: Resize status is moved to two pod conditions PodResizePending and PodResizeInProgress. PodResizePending will track states where the spec has been resized, but the Kubelet has not yet allocated the resources. PodResizeInProgress will track in-progress resizes, and should be present whenever allocated resources != acknowledged resources.", + "description": "Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to \"Proposed\"", "type": "string" }, "resourceClaimStatuses": { @@ -45059,14 +44637,12 @@ "minReadySeconds": { "description": "Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)", "type": "integer", - "format": "int32", - "default": 0 + "format": "int32" }, "replicas": { "description": "Replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller", "type": "integer", - "format": "int32", - "default": 1 + "format": "int32" }, "selector": { "description": "Selector is a label query over pods that should match the Replicas count. If Selector is empty, it is defaulted to the labels present on the Pod template. Label keys and values that must match in order to be controlled by this replication controller, if empty defaulted to labels on Pod template. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors", @@ -45277,8 +44853,7 @@ "NotBestEffort", "NotTerminating", "PriorityClass", - "Terminating", - "VolumeAttributesClass" + "Terminating" ] }, "x-kubernetes-list-type": "atomic" @@ -45531,7 +45106,7 @@ ] }, "scopeName": { - "description": "The name of the scope that the selector applies to.\n\nPossible enum values:\n - `\"BestEffort\"` Match all pod objects that have best effort quality of service\n - `\"CrossNamespacePodAffinity\"` Match all pod objects that have cross-namespace pod (anti)affinity mentioned.\n - `\"NotBestEffort\"` Match all pod objects that do not have best effort quality of service\n - `\"NotTerminating\"` Match all pod objects where spec.activeDeadlineSeconds is nil\n - `\"PriorityClass\"` Match all pod objects that have priority class mentioned\n - `\"Terminating\"` Match all pod objects where spec.activeDeadlineSeconds >=0\n - `\"VolumeAttributesClass\"` Match all pvc objects that have volume attributes class mentioned.", + "description": "The name of the scope that the selector applies to.\n\nPossible enum values:\n - `\"BestEffort\"` Match all pod objects that have best effort quality of service\n - `\"CrossNamespacePodAffinity\"` Match all pod objects that have cross-namespace pod (anti)affinity mentioned.\n - `\"NotBestEffort\"` Match all pod objects that do not have best effort quality of service\n - `\"NotTerminating\"` Match all pod objects where spec.activeDeadlineSeconds is nil\n - `\"PriorityClass\"` Match all pod objects that have priority class mentioned\n - `\"Terminating\"` Match all pod objects where spec.activeDeadlineSeconds >=0", "type": "string", "default": "", "enum": [ @@ -45540,8 +45115,7 @@ "NotBestEffort", "NotTerminating", "PriorityClass", - "Terminating", - "VolumeAttributesClass" + "Terminating" ] }, "values": { @@ -46198,7 +45772,7 @@ "$ref": "#/definitions/io.k8s.api.core.v1.SessionAffinityConfig" }, "trafficDistribution": { - "description": "TrafficDistribution offers a way to express preferences for how traffic is distributed to Service endpoints. Implementations can use this field as a hint, but are not required to guarantee strict adherence. If the field is not set, the implementation will apply its default routing strategy. If set to \"PreferClose\", implementations should prioritize endpoints that are in the same zone.", + "description": "TrafficDistribution offers a way to express preferences for how traffic is distributed to Service endpoints. Implementations can use this field as a hint, but are not required to guarantee strict adherence. If the field is not set, the implementation will apply its default routing strategy. If set to \"PreferClose\", implementations should prioritize endpoints that are topologically close (e.g., same zone). This is a beta field and requires enabling ServiceTrafficDistribution feature.", "type": "string" }, "type": { @@ -46495,7 +46069,7 @@ "format": "int32" }, "nodeAffinityPolicy": { - "description": "NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", + "description": "NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", "type": "string", "enum": [ "Honor", @@ -46503,7 +46077,7 @@ ] }, "nodeTaintsPolicy": { - "description": "NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", + "description": "NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", "type": "string", "enum": [ "Honor", @@ -46655,7 +46229,7 @@ "$ref": "#/definitions/io.k8s.api.core.v1.HostPathVolumeSource" }, "image": { - "description": "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", + "description": "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", "$ref": "#/definitions/io.k8s.api.core.v1.ImageVolumeSource" }, "iscsi": { @@ -46935,7 +46509,7 @@ "$ref": "#/definitions/io.k8s.api.core.v1.HostPathVolumeSource" }, "image": { - "description": "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", + "description": "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", "$ref": "#/definitions/io.k8s.api.core.v1.ImageVolumeSource" }, "iscsi": { diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml index 4f67bf9e0ca..bdd6b39e7e7 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml @@ -79,9 +79,8 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: extra: description: |- @@ -89,7 +88,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. + A maximum of 64 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -170,44 +169,38 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 1024 characters in length. + valueExpression must not exceed 4096 characters in length. valueExpression must not be empty. - maxLength: 1024 + maxLength: 4096 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 32 + maxItems: 64 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -255,8 +248,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 + and must not exceed 4096 characters in length. + maxLength: 4096 minLength: 1 type: string type: object @@ -266,33 +259,18 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -300,28 +278,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -336,40 +311,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -378,36 +362,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -415,17 +405,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -436,77 +437,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -517,34 +479,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -560,8 +509,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -685,29 +661,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -781,10 +744,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -796,37 +757,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml index 2a3b60571cb..50cb0d83385 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml @@ -79,34 +79,27 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -115,33 +108,18 @@ spec: type: object username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -149,28 +127,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -185,40 +160,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -227,36 +211,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -264,17 +254,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -285,77 +286,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -366,34 +328,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -409,8 +358,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -534,29 +510,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -630,10 +593,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -645,37 +606,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml index 195efce400b..2a12eec83b4 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml @@ -79,9 +79,8 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: extra: description: |- @@ -89,7 +88,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. + A maximum of 64 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -170,44 +169,38 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 1024 characters in length. + valueExpression must not exceed 4096 characters in length. valueExpression must not be empty. - maxLength: 1024 + maxLength: 4096 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 32 + maxItems: 64 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -255,8 +248,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 + and must not exceed 4096 characters in length. + maxLength: 4096 minLength: 1 type: string type: object @@ -266,33 +259,18 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -300,28 +278,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -336,40 +311,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -378,36 +362,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -415,17 +405,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -436,77 +437,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -517,34 +479,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -560,8 +509,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -685,29 +661,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -781,10 +744,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -796,37 +757,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml index 4e8c79c3201..ccfd29ab983 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -79,9 +79,8 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: extra: description: |- @@ -89,7 +88,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. + A maximum of 64 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -170,44 +169,38 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 1024 characters in length. + valueExpression must not exceed 4096 characters in length. valueExpression must not be empty. - maxLength: 1024 + maxLength: 4096 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 32 + maxItems: 64 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -255,8 +248,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 + and must not exceed 4096 characters in length. + maxLength: 4096 minLength: 1 type: string type: object @@ -266,33 +259,18 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -300,28 +278,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -336,40 +311,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -378,36 +362,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -415,17 +405,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -436,77 +437,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -517,34 +479,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -560,8 +509,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -685,29 +661,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -781,10 +744,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -796,37 +757,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml index 72c798fae70..384bf105a9a 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml @@ -79,9 +79,8 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: extra: description: |- @@ -89,7 +88,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. + A maximum of 64 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -170,44 +169,38 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 1024 characters in length. + valueExpression must not exceed 4096 characters in length. valueExpression must not be empty. - maxLength: 1024 + maxLength: 4096 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 32 + maxItems: 64 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -255,8 +248,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 + and must not exceed 4096 characters in length. + maxLength: 4096 minLength: 1 type: string type: object @@ -266,33 +259,18 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -300,28 +278,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -336,40 +311,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -378,36 +362,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -415,17 +405,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -436,77 +437,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -517,34 +479,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -560,8 +509,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -685,29 +661,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -781,10 +744,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -796,37 +757,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml index 998e804191f..9af68271f95 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml @@ -79,9 +79,8 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: extra: description: |- @@ -89,7 +88,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. + A maximum of 64 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -170,44 +169,38 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 1024 characters in length. + valueExpression must not exceed 4096 characters in length. valueExpression must not be empty. - maxLength: 1024 + maxLength: 4096 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 32 + maxItems: 64 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -255,8 +248,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 + and must not exceed 4096 characters in length. + maxLength: 4096 minLength: 1 type: string type: object @@ -266,33 +259,18 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -300,28 +278,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -336,40 +311,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -378,36 +362,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -415,17 +405,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -436,77 +437,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -517,34 +479,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -560,8 +509,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -685,29 +661,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -781,10 +744,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -796,37 +757,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml index 75446be6cca..4799299b92b 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml @@ -79,9 +79,8 @@ spec: properties: claimMappings: description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + claimMappings describes rules on how to transform information from an + ID token into a cluster identity properties: extra: description: |- @@ -89,7 +88,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. + A maximum of 64 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -170,44 +169,38 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 1024 characters in length. + valueExpression must not exceed 4096 characters in length. valueExpression must not be empty. - maxLength: 1024 + maxLength: 4096 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 32 + maxItems: 64 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a JWT token claim to be used in + the mapping type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is a string to prefix the value from the token in the result of the + claim mapping. - When omitted (""), no prefix is applied to the cluster identity attribute. + By default, no prefixing occurs. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -255,8 +248,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. - maxLength: 1024 + and must not exceed 4096 characters in length. + maxLength: 4096 minLength: 1 type: string type: object @@ -266,33 +259,18 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 + description: claim is a JWT token claim to be used in + the mapping type: string prefix: - description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: - description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -300,28 +278,25 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. - - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. - As an example, consider the following scenario: - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -336,40 +311,49 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' - required: - - username type: object claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. - - Validation rules are joined via an AND operation. + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- - requiredClaim is an optional field that configures the required claim - and value that the Kubernetes API server will use to validate if an incoming - JWT is valid for this identity provider. + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. properties: claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). + description: claim is a name of a required claim. + Only claims with string values are supported. minLength: 1 type: string requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. - - requiredValue must not be an empty string (""). + description: requiredValue is the required value for + the claim. minLength: 1 type: string required: @@ -378,36 +362,42 @@ spec: type: object type: default: RequiredClaim - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). - - When set to 'RequiredClaim', the Kubernetes API server - will be configured to validate that the incoming JWT - contains the required claim and that its value matches - the required value. - - Defaults to 'RequiredClaim'. + description: type sets the type of the validation rule enum: - RequiredClaim + - Expression type: string type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer describes atributes of the OIDC token issuer properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. items: minLength: 1 type: string @@ -415,17 +405,28 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. properties: name: description: name is the metadata.name of the referenced @@ -436,77 +437,38 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' required: - audiences - issuerURL type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' name: - description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). + description: name of the OIDC provider minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer items: - description: |- - OIDCClientConfig configures how platform clients - interact with identity providers as an authentication - method properties: clientID: - description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests - to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field properties: name: description: name is the metadata.name of the referenced @@ -517,34 +479,21 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + componentName is the name of the component that is supposed to consume this + client configuration maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + componentNamespace is the namespace of the component that is supposed to consume this + client configuration maxLength: 63 minLength: 1 type: string extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. + description: extraScopes is an optional set of scopes + to request tokens with. items: type: string type: array @@ -560,8 +509,35 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - - claimMappings - issuer - name type: object @@ -685,29 +661,16 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. properties: componentName: - description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. + description: componentName is the name of the component that + will consume a client configuration. maxLength: 256 minLength: 1 type: string componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + description: componentNamespace is the namespace of the component + that will consume a client configuration. maxLength: 63 minLength: 1 type: string @@ -781,10 +744,8 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. + consumingUsers is a slice of ServiceAccounts that need to have read + permission on the `clientSecret` secret. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -796,37 +757,24 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - Entries must have unique issuerURL/clientID pairs. + description: currentOIDCClients is a list of clients that the + component is currently using. items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. properties: clientID: - description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. - - clientID must not be empty. + description: clientID is the identifier of the OIDC client + from the OIDC provider minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. + URL is the serving URL of the token issuer. + Must use the https:// scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). + description: OIDCName refers to the `name` of the provider + from `oidcProviders` minLength: 1 type: string required: From b332d8661d629a351c30e950a3411f796f95f095 Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Mon, 12 May 2025 14:52:37 +0200 Subject: [PATCH 04/12] added fields behind the feature gate Signed-off-by: Shaza Aldawamneh --- config/v1/types_authentication.go | 4 +- ..._generated.featuregated-crd-manifests.yaml | 1 + .../ExternalOIDCWithNewAuthConfigFields.yaml | 522 ++++++++++++++++++ features.md | 1 + .../featureGate-Hypershift-Default.yaml | 3 + ...reGate-Hypershift-DevPreviewNoUpgrade.yaml | 3 + ...eGate-Hypershift-TechPreviewNoUpgrade.yaml | 3 + .../featureGate-SelfManagedHA-Default.yaml | 3 + ...ate-SelfManagedHA-DevPreviewNoUpgrade.yaml | 3 + ...te-SelfManagedHA-TechPreviewNoUpgrade.yaml | 3 + 10 files changed, 544 insertions(+), 2 deletions(-) create mode 100644 config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index 6c6e52c6289..dad63f23e5f 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -5,7 +5,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings;ExternalOIDCWithNewAuthConfigFields,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" // Authentication specifies cluster-wide settings for authentication (like OAuth and // webhook token authenticators). The canonical name of an instance is `cluster`. @@ -91,7 +91,7 @@ type AuthenticationSpec struct { // +kubebuilder:validation:MaxItems=1 // +openshift:enable:FeatureGate=ExternalOIDC // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings - // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"` } diff --git a/config/v1/zz_generated.featuregated-crd-manifests.yaml b/config/v1/zz_generated.featuregated-crd-manifests.yaml index 6d756e8f904..09d83050102 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -30,6 +30,7 @@ authentications.config.openshift.io: Category: "" FeatureGates: - ExternalOIDC + - ExternalOIDCWithNewAuthConfigFields - ExternalOIDCWithUIDAndExtraClaimMappings FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml new file mode 100644 index 00000000000..7b6096d29f8 --- /dev/null +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml @@ -0,0 +1,522 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/ExternalOIDCWithNewAuthConfigFields: "true" + release.openshift.io/bootstrap-required: "true" + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). The canonical name of an instance is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcProviders: + description: |- + oidcProviders are OIDC identity providers that can issue tokens + for this cluster + Can only be set if "Type" is set to "OIDC". + + At most one provider can be configured. + items: + properties: + claimMappings: + description: |- + claimMappings describes rules on how to transform information from an + ID token into a cluster identity + properties: + groups: + description: |- + groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. + properties: + claim: + description: claim is a JWT token claim to be used in + the mapping + type: string + prefix: + description: |- + prefix is a string to prefix the value from the token in the result of the + claim mapping. + + By default, no prefixing occurs. + + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + an array of strings "a", "b" and "c", the mapping will result in an + array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + username: + description: |- + username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" + properties: + claim: + description: claim is a JWT token claim to be used in + the mapping + type: string + prefix: + properties: + prefixString: + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + prefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy == + ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + type: object + claimValidationRules: + description: claimValidationRules are rules that are applied + to validate token claims to authenticate users. + items: + properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + Expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object + requiredClaim: + description: |- + requiredClaim allows configuring a required claim name and its expected value. + RequiredClaim is used when type is RequiredClaim. + properties: + claim: + description: claim is a name of a required claim. + Only claims with string values are supported. + minLength: 1 + type: string + requiredValue: + description: requiredValue is the required value for + the claim. + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + default: RequiredClaim + description: type sets the type of the validation rule + enum: + - RequiredClaim + - Expression + type: string + type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + - message: expressionRule must be set when type is 'Expression', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) + : !has(self.expressionRule)' + type: array + x-kubernetes-list-type: atomic + issuer: + description: issuer describes atributes of the OIDC token issuer + properties: + audienceMatchPolicy: + description: |- + audienceMatchPolicy specifies how token audiences are matched. + If omitted, the system applies a default policy. + Valid values are: + - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. + enum: + - MatchAny + - "" + type: string + audiences: + description: |- + audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + discoveryURL: + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: discoveryURL must be a valid URL + rule: 'self.size() > 0 ? isURL(self) : true' + - message: discoveryURL must use https scheme + rule: 'self.size() > 0 ? url(self).scheme == ''https'' + : true' + - message: discoveryURL must not contain query parameters + rule: 'self.size() > 0 ? url(self).query == '''' : true' + - message: discoveryURL must not contain user info + rule: 'self.size() > 0 ? url(self).user == '''' : true' + - message: discoveryURL must not contain a fragment + rule: 'self.size() > 0 ? url(self).fragment == '''' : + true' + issuerCertificateAuthority: + description: |- + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + issuerURL: + description: |- + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] + type: string + required: + - audiences + - issuerURL + type: object + x-kubernetes-validations: + - message: discoveryURL must be different from URL + rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == + 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + : true' + name: + description: name of the OIDC provider + minLength: 1 + type: string + oidcClients: + description: |- + oidcClients contains configuration for the platform's clients that + need to request tokens from the issuer + items: + properties: + clientID: + description: clientID is the identifier of the OIDC client + from the OIDC provider + minLength: 1 + type: string + clientSecret: + description: |- + clientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + componentName: + description: |- + componentName is the name of the component that is supposed to consume this + client configuration + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is the namespace of the component that is supposed to consume this + client configuration + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: extraScopes is an optional set of scopes + to request tokens with. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic + required: + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + For further details, see: + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting it + has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + integratedOAuthMetadata: + description: |- + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for the in-cluster integrated OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. + An explicitly set value in spec.oauthMetadata has precedence over this field. + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. + If the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config-managed. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: all oidcClients in the oidcProviders must match their componentName + and componentNamespace to either a previously configured oidcClient or + they must exist in the status.oidcClients + rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) + || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace + == specC.componentNamespace && statusC.componentName == specC.componentName) + || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, + oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, + oldC.componentNamespace == specC.componentNamespace && oldC.componentName + == specC.componentName)))))' + served: true + storage: true + subresources: + status: {} diff --git a/features.md b/features.md index 05172942208..815291221a8 100644 --- a/features.md +++ b/features.md @@ -39,6 +39,7 @@ | DynamicResourceAllocation| | | Enabled | Enabled | Enabled | Enabled | | EtcdBackendQuota| | | Enabled | Enabled | Enabled | Enabled | | Example| | | Enabled | Enabled | Enabled | Enabled | +| ExternalOIDCWithNewAuthConfigFields| | | Enabled | Enabled | Enabled | Enabled | | ExternalOIDCWithUIDAndExtraClaimMappings| | | Enabled | Enabled | Enabled | Enabled | | GCPClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | | GCPCustomAPIEndpoints| | | Enabled | Enabled | Enabled | Enabled | diff --git a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml index a807ed9434d..7cf987c8c62 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml @@ -97,6 +97,9 @@ { "name": "Example2" }, + { + "name": "ExternalOIDCWithNewAuthConfigFields" + }, { "name": "ExternalOIDCWithUIDAndExtraClaimMappings" }, diff --git a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml index 60b0c1407f9..ec1cf4c84c0 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml @@ -152,6 +152,9 @@ { "name": "ExternalOIDC" }, + { + "name": "ExternalOIDCWithNewAuthConfigFields" + }, { "name": "ExternalOIDCWithUIDAndExtraClaimMappings" }, diff --git a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml index 4b16de057ba..f0ea5ba5af4 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml @@ -158,6 +158,9 @@ { "name": "ExternalOIDC" }, + { + "name": "ExternalOIDCWithNewAuthConfigFields" + }, { "name": "ExternalOIDCWithUIDAndExtraClaimMappings" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml index 2b94acf2bbe..45bdf40a017 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml @@ -100,6 +100,9 @@ { "name": "ExternalOIDC" }, + { + "name": "ExternalOIDCWithNewAuthConfigFields" + }, { "name": "ExternalOIDCWithUIDAndExtraClaimMappings" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml index 37477a73dfe..f7929ebfb99 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml @@ -134,6 +134,9 @@ { "name": "ExternalOIDC" }, + { + "name": "ExternalOIDCWithNewAuthConfigFields" + }, { "name": "ExternalOIDCWithUIDAndExtraClaimMappings" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml index 4b73d1e8062..d7de931dd7c 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml @@ -140,6 +140,9 @@ { "name": "ExternalOIDC" }, + { + "name": "ExternalOIDCWithNewAuthConfigFields" + }, { "name": "ExternalOIDCWithUIDAndExtraClaimMappings" }, From fe519adb60281bc7b0711f8f4c74c6faa1ab3abd Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Tue, 13 May 2025 14:02:42 +0200 Subject: [PATCH 05/12] made adjusments to cover review comments Signed-off-by: Shaza Aldawamneh --- config/v1/types_authentication.go | 9 +- ...ations-Hypershift-CustomNoUpgrade.crd.yaml | 22 +++-- ...uthentications-Hypershift-Default.crd.yaml | 83 ------------------- ...ns-Hypershift-DevPreviewNoUpgrade.crd.yaml | 22 +++-- ...s-Hypershift-TechPreviewNoUpgrade.crd.yaml | 22 +++-- ...ons-SelfManagedHA-CustomNoUpgrade.crd.yaml | 22 +++-- ...SelfManagedHA-DevPreviewNoUpgrade.crd.yaml | 22 +++-- ...elfManagedHA-TechPreviewNoUpgrade.crd.yaml | 22 +++-- .../ExternalOIDC.yaml | 83 ------------------- .../ExternalOIDCWithNewAuthConfigFields.yaml | 22 +++-- ...ernalOIDCWithUIDAndExtraClaimMappings.yaml | 83 ------------------- .../v1/zz_generated.swagger_doc_generated.go | 1 + .../generated_openapi/zz_generated.openapi.go | 5 +- openapi/openapi.json | 1 + ...ations-Hypershift-CustomNoUpgrade.crd.yaml | 22 +++-- ...uthentications-Hypershift-Default.crd.yaml | 83 ------------------- ...ns-Hypershift-DevPreviewNoUpgrade.crd.yaml | 22 +++-- ...s-Hypershift-TechPreviewNoUpgrade.crd.yaml | 22 +++-- ...ons-SelfManagedHA-CustomNoUpgrade.crd.yaml | 22 +++-- ...SelfManagedHA-DevPreviewNoUpgrade.crd.yaml | 22 +++-- ...elfManagedHA-TechPreviewNoUpgrade.crd.yaml | 22 +++-- 21 files changed, 219 insertions(+), 415 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index dad63f23e5f..faaa25595f9 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -251,13 +251,14 @@ type OIDCProvider struct { // +optional //+listType=atomic + // +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"` } // +kubebuilder:validation:MinLength=1 type TokenAudience string -// +kubebuilder:validation:XValidation:rule="self.discoveryURL.size() > 0 ? (self.url.size() == 0 || self.discoveryURL.find('^.+[^/]') != self.url.find('^.+[^/]')) : true",message="discoveryURL must be different from URL" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithNewAuthConfigFields,rule="self.discoveryURL.size() > 0 ? (self.issuerURL.size() == 0 || self.discoveryURL.find('^.+[^/]') != self.issuerURL.find('^.+[^/]')) : true",message="discoveryURL must be different from issuerURL" type TokenIssuer struct { // issuerURL is a required field that configures the URL used to issue tokens // by the identity provider. @@ -314,12 +315,12 @@ type TokenIssuer struct { // // +optional // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? isURL(self) : true",message="discoveryURL must be a valid URL" - // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).scheme == 'https' : true",message="discoveryURL must use https scheme" + // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? (isURL(self) && url(self).getScheme() == 'https') : true",message="discoveryURL must be a valid https URL" // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).query == '' : true",message="discoveryURL must not contain query parameters" // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).user == '' : true",message="discoveryURL must not contain user info" // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).fragment == '' : true",message="discoveryURL must not contain a fragment" // +kubebuilder:validation:MaxLength=2048 - + // +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields DiscoveryURL string `json:"discoveryURL,omitempty"` // audienceMatchPolicy specifies how token audiences are matched. @@ -328,6 +329,7 @@ type TokenIssuer struct { // - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. // // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields AudienceMatchPolicy AudienceMatchPolicy `json:"audienceMatchPolicy,omitempty"` } @@ -806,6 +808,7 @@ type TokenClaimValidationRule struct { // Must be set if type == "Expression". // // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields ExpressionRule *TokenExpressionRule `json:"expressionRule,omitempty"` } diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml index bdd6b39e7e7..42da6638cf4 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml @@ -406,14 +406,24 @@ spec: type: array x-kubernetes-list-type: set discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + as "{url}/.well-known/openid-configuration". + + The discoveryURL must: + - Be a valid absolute URL. + - Use the HTTPS scheme. + - Not contain query parameters, user info, or fragments. + - Be different from the value of `url` (ignoring trailing slashes) maxLength: 2048 type: string x-kubernetes-validations: - message: discoveryURL must be a valid URL rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' + - message: discoveryURL must be a valid https URL + rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() + == ''https'') : true' - message: discoveryURL must not contain query parameters rule: 'self.size() > 0 ? url(self).query == '''' : true' - message: discoveryURL must not contain user info @@ -446,9 +456,9 @@ spec: - issuerURL type: object x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + - message: discoveryURL must be different from issuerURL + rule: 'self.discoveryURL.size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: description: name of the OIDC provider diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml index 50cb0d83385..c2a90d9c9f6 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml @@ -166,30 +166,6 @@ spec: to validate token claims to authenticate users. items: properties: - expressionRule: - description: |- - expressionRule contains the configuration for the "Expression" type. - Must be set if type == "Expression". - properties: - expression: - description: |- - Expression is a CEL expression evaluated against token claims. - The expression must be a non-empty string and no longer than 4096 characters. - This field is required. - maxLength: 4096 - minLength: 1 - type: string - message: - description: |- - Message allows configuring the human-readable message that is returned - from the Kubernetes API server when a token fails validation based on - the CEL expression defined in 'expression'. This field is optional. - maxLength: 256 - minLength: 1 - type: string - required: - - expression - type: object requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. @@ -231,16 +207,6 @@ spec: issuer: description: issuer describes atributes of the OIDC token issuer properties: - audienceMatchPolicy: - description: |- - audienceMatchPolicy specifies how token audiences are matched. - If omitted, the system applies a default policy. - Valid values are: - - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. - enum: - - MatchAny - - "" - type: string audiences: description: |- audiences is an array of audiences that the token was issued for. @@ -254,22 +220,6 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set - discoveryURL: - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: discoveryURL must be a valid URL - rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' - - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' - - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the @@ -294,11 +244,6 @@ spec: - audiences - issuerURL type: object - x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) - : true' name: description: name of the OIDC provider minLength: 1 @@ -358,34 +303,6 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map - userValidationRules: - items: - description: |- - TokenUserValidationRule provides a CEL-based rule used to validate a token subject. - Each rule contains a CEL expression that is evaluated against the token’s claims. - If the expression evaluates to false, the token is rejected. - See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. - At least one rule must evaluate to true for the token to be considered valid. - properties: - expression: - description: |- - Expression is a CEL expression that must evaluate - to true for the token to be accepted. The expression is evaluated against the token's - user information (e.g., username, groups). This field must be non-empty and may not - exceed 4096 characters. - maxLength: 4096 - minLength: 1 - type: string - message: - description: |- - Message is an optional, human-readable message returned by the API server when - this validation rule fails. It can help clarify why a token was rejected. - type: string - required: - - expression - type: object - type: array - x-kubernetes-list-type: atomic required: - issuer - name diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml index 2a12eec83b4..6aca805ccb7 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml @@ -406,14 +406,24 @@ spec: type: array x-kubernetes-list-type: set discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + as "{url}/.well-known/openid-configuration". + + The discoveryURL must: + - Be a valid absolute URL. + - Use the HTTPS scheme. + - Not contain query parameters, user info, or fragments. + - Be different from the value of `url` (ignoring trailing slashes) maxLength: 2048 type: string x-kubernetes-validations: - message: discoveryURL must be a valid URL rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' + - message: discoveryURL must be a valid https URL + rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() + == ''https'') : true' - message: discoveryURL must not contain query parameters rule: 'self.size() > 0 ? url(self).query == '''' : true' - message: discoveryURL must not contain user info @@ -446,9 +456,9 @@ spec: - issuerURL type: object x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + - message: discoveryURL must be different from issuerURL + rule: 'self.discoveryURL.size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: description: name of the OIDC provider diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml index ccfd29ab983..6d6b226a896 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -406,14 +406,24 @@ spec: type: array x-kubernetes-list-type: set discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + as "{url}/.well-known/openid-configuration". + + The discoveryURL must: + - Be a valid absolute URL. + - Use the HTTPS scheme. + - Not contain query parameters, user info, or fragments. + - Be different from the value of `url` (ignoring trailing slashes) maxLength: 2048 type: string x-kubernetes-validations: - message: discoveryURL must be a valid URL rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' + - message: discoveryURL must be a valid https URL + rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() + == ''https'') : true' - message: discoveryURL must not contain query parameters rule: 'self.size() > 0 ? url(self).query == '''' : true' - message: discoveryURL must not contain user info @@ -446,9 +456,9 @@ spec: - issuerURL type: object x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + - message: discoveryURL must be different from issuerURL + rule: 'self.discoveryURL.size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: description: name of the OIDC provider diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml index 384bf105a9a..0341b036b2e 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml @@ -406,14 +406,24 @@ spec: type: array x-kubernetes-list-type: set discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + as "{url}/.well-known/openid-configuration". + + The discoveryURL must: + - Be a valid absolute URL. + - Use the HTTPS scheme. + - Not contain query parameters, user info, or fragments. + - Be different from the value of `url` (ignoring trailing slashes) maxLength: 2048 type: string x-kubernetes-validations: - message: discoveryURL must be a valid URL rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' + - message: discoveryURL must be a valid https URL + rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() + == ''https'') : true' - message: discoveryURL must not contain query parameters rule: 'self.size() > 0 ? url(self).query == '''' : true' - message: discoveryURL must not contain user info @@ -446,9 +456,9 @@ spec: - issuerURL type: object x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + - message: discoveryURL must be different from issuerURL + rule: 'self.discoveryURL.size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: description: name of the OIDC provider diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml index 9af68271f95..0a437c01d5d 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml @@ -406,14 +406,24 @@ spec: type: array x-kubernetes-list-type: set discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + as "{url}/.well-known/openid-configuration". + + The discoveryURL must: + - Be a valid absolute URL. + - Use the HTTPS scheme. + - Not contain query parameters, user info, or fragments. + - Be different from the value of `url` (ignoring trailing slashes) maxLength: 2048 type: string x-kubernetes-validations: - message: discoveryURL must be a valid URL rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' + - message: discoveryURL must be a valid https URL + rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() + == ''https'') : true' - message: discoveryURL must not contain query parameters rule: 'self.size() > 0 ? url(self).query == '''' : true' - message: discoveryURL must not contain user info @@ -446,9 +456,9 @@ spec: - issuerURL type: object x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + - message: discoveryURL must be different from issuerURL + rule: 'self.discoveryURL.size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: description: name of the OIDC provider diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml index 4799299b92b..86d7bbc7847 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml @@ -406,14 +406,24 @@ spec: type: array x-kubernetes-list-type: set discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + as "{url}/.well-known/openid-configuration". + + The discoveryURL must: + - Be a valid absolute URL. + - Use the HTTPS scheme. + - Not contain query parameters, user info, or fragments. + - Be different from the value of `url` (ignoring trailing slashes) maxLength: 2048 type: string x-kubernetes-validations: - message: discoveryURL must be a valid URL rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' + - message: discoveryURL must be a valid https URL + rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() + == ''https'') : true' - message: discoveryURL must not contain query parameters rule: 'self.size() > 0 ? url(self).query == '''' : true' - message: discoveryURL must not contain user info @@ -446,9 +456,9 @@ spec: - issuerURL type: object x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + - message: discoveryURL must be different from issuerURL + rule: 'self.discoveryURL.size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: description: name of the OIDC provider diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml index 6f4246946e2..d263c4d4265 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml @@ -167,30 +167,6 @@ spec: to validate token claims to authenticate users. items: properties: - expressionRule: - description: |- - expressionRule contains the configuration for the "Expression" type. - Must be set if type == "Expression". - properties: - expression: - description: |- - Expression is a CEL expression evaluated against token claims. - The expression must be a non-empty string and no longer than 4096 characters. - This field is required. - maxLength: 4096 - minLength: 1 - type: string - message: - description: |- - Message allows configuring the human-readable message that is returned - from the Kubernetes API server when a token fails validation based on - the CEL expression defined in 'expression'. This field is optional. - maxLength: 256 - minLength: 1 - type: string - required: - - expression - type: object requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. @@ -232,16 +208,6 @@ spec: issuer: description: issuer describes atributes of the OIDC token issuer properties: - audienceMatchPolicy: - description: |- - audienceMatchPolicy specifies how token audiences are matched. - If omitted, the system applies a default policy. - Valid values are: - - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. - enum: - - MatchAny - - "" - type: string audiences: description: |- audiences is an array of audiences that the token was issued for. @@ -255,22 +221,6 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set - discoveryURL: - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: discoveryURL must be a valid URL - rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' - - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' - - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the @@ -295,11 +245,6 @@ spec: - audiences - issuerURL type: object - x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) - : true' name: description: name of the OIDC provider minLength: 1 @@ -359,34 +304,6 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map - userValidationRules: - items: - description: |- - TokenUserValidationRule provides a CEL-based rule used to validate a token subject. - Each rule contains a CEL expression that is evaluated against the token’s claims. - If the expression evaluates to false, the token is rejected. - See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. - At least one rule must evaluate to true for the token to be considered valid. - properties: - expression: - description: |- - Expression is a CEL expression that must evaluate - to true for the token to be accepted. The expression is evaluated against the token's - user information (e.g., username, groups). This field must be non-empty and may not - exceed 4096 characters. - maxLength: 4096 - minLength: 1 - type: string - message: - description: |- - Message is an optional, human-readable message returned by the API server when - this validation rule fails. It can help clarify why a token was rejected. - type: string - required: - - expression - type: object - type: array - x-kubernetes-list-type: atomic required: - issuer - name diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml index 7b6096d29f8..f9052e7991b 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml @@ -256,14 +256,24 @@ spec: type: array x-kubernetes-list-type: set discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + as "{url}/.well-known/openid-configuration". + + The discoveryURL must: + - Be a valid absolute URL. + - Use the HTTPS scheme. + - Not contain query parameters, user info, or fragments. + - Be different from the value of `url` (ignoring trailing slashes) maxLength: 2048 type: string x-kubernetes-validations: - message: discoveryURL must be a valid URL rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' + - message: discoveryURL must be a valid https URL + rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() + == ''https'') : true' - message: discoveryURL must not contain query parameters rule: 'self.size() > 0 ? url(self).query == '''' : true' - message: discoveryURL must not contain user info @@ -296,9 +306,9 @@ spec: - issuerURL type: object x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + - message: discoveryURL must be different from issuerURL + rule: 'self.discoveryURL.size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: description: name of the OIDC provider diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index 77b64e3562a..38d4415ca18 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -318,30 +318,6 @@ spec: to validate token claims to authenticate users. items: properties: - expressionRule: - description: |- - expressionRule contains the configuration for the "Expression" type. - Must be set if type == "Expression". - properties: - expression: - description: |- - Expression is a CEL expression evaluated against token claims. - The expression must be a non-empty string and no longer than 4096 characters. - This field is required. - maxLength: 4096 - minLength: 1 - type: string - message: - description: |- - Message allows configuring the human-readable message that is returned - from the Kubernetes API server when a token fails validation based on - the CEL expression defined in 'expression'. This field is optional. - maxLength: 256 - minLength: 1 - type: string - required: - - expression - type: object requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. @@ -383,16 +359,6 @@ spec: issuer: description: issuer describes atributes of the OIDC token issuer properties: - audienceMatchPolicy: - description: |- - audienceMatchPolicy specifies how token audiences are matched. - If omitted, the system applies a default policy. - Valid values are: - - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. - enum: - - MatchAny - - "" - type: string audiences: description: |- audiences is an array of audiences that the token was issued for. @@ -406,22 +372,6 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set - discoveryURL: - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: discoveryURL must be a valid URL - rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' - - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' - - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the @@ -446,11 +396,6 @@ spec: - audiences - issuerURL type: object - x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) - : true' name: description: name of the OIDC provider minLength: 1 @@ -510,34 +455,6 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map - userValidationRules: - items: - description: |- - TokenUserValidationRule provides a CEL-based rule used to validate a token subject. - Each rule contains a CEL expression that is evaluated against the token’s claims. - If the expression evaluates to false, the token is rejected. - See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. - At least one rule must evaluate to true for the token to be considered valid. - properties: - expression: - description: |- - Expression is a CEL expression that must evaluate - to true for the token to be accepted. The expression is evaluated against the token's - user information (e.g., username, groups). This field must be non-empty and may not - exceed 4096 characters. - maxLength: 4096 - minLength: 1 - type: string - message: - description: |- - Message is an optional, human-readable message returned by the API server when - this validation rule fails. It can help clarify why a token was rejected. - type: string - required: - - expression - type: object - type: array - x-kubernetes-list-type: atomic required: - issuer - name diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 566d03ff115..46fb4f6bfab 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -512,6 +512,7 @@ var map_TokenIssuer = map[string]string{ "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", "audiences": "audiences is an array of audiences that the token was issued for. Valid tokens must include at least one of these values in their \"aud\" claim. Must be set to exactly one value.", "issuerCertificateAuthority": "CertificateAuthority is a reference to a config map in the configuration namespace. The .data of the configMap must contain the \"ca-bundle.crt\" key. If unset, system trust is used instead.", + "discoveryURL": "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` as \"{url}/.well-known/openid-configuration\".\n\nThe discoveryURL must:\n - Be a valid absolute URL.\n - Use the HTTPS scheme.\n - Not contain query parameters, user info, or fragments.\n - Be different from the value of `url` (ignoring trailing slashes)", "audienceMatchPolicy": "audienceMatchPolicy specifies how token audiences are matched. If omitted, the system applies a default policy. Valid values are: - \"MatchAny\": The token is accepted if any of its audiences match any of the configured audiences.", } diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index ba6a1f74d03..6c4e012605e 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -19615,8 +19615,9 @@ func schema_openshift_api_config_v1_TokenIssuer(ref common.ReferenceCallback) co }, "discoveryURL": { SchemaProps: spec.SchemaProps{ - Type: []string{"string"}, - Format: "", + Description: "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` as \"{url}/.well-known/openid-configuration\".\n\nThe discoveryURL must:\n - Be a valid absolute URL.\n - Use the HTTPS scheme.\n - Not contain query parameters, user info, or fragments.\n - Be different from the value of `url` (ignoring trailing slashes)", + Type: []string{"string"}, + Format: "", }, }, "audienceMatchPolicy": { diff --git a/openapi/openapi.json b/openapi/openapi.json index 011a1b7b7b7..2bdecc054d1 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -10621,6 +10621,7 @@ "x-kubernetes-list-type": "set" }, "discoveryURL": { + "description": "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` as \"{url}/.well-known/openid-configuration\".\n\nThe discoveryURL must:\n - Be a valid absolute URL.\n - Use the HTTPS scheme.\n - Not contain query parameters, user info, or fragments.\n - Be different from the value of `url` (ignoring trailing slashes)", "type": "string" }, "issuerCertificateAuthority": { diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml index bdd6b39e7e7..42da6638cf4 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml @@ -406,14 +406,24 @@ spec: type: array x-kubernetes-list-type: set discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + as "{url}/.well-known/openid-configuration". + + The discoveryURL must: + - Be a valid absolute URL. + - Use the HTTPS scheme. + - Not contain query parameters, user info, or fragments. + - Be different from the value of `url` (ignoring trailing slashes) maxLength: 2048 type: string x-kubernetes-validations: - message: discoveryURL must be a valid URL rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' + - message: discoveryURL must be a valid https URL + rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() + == ''https'') : true' - message: discoveryURL must not contain query parameters rule: 'self.size() > 0 ? url(self).query == '''' : true' - message: discoveryURL must not contain user info @@ -446,9 +456,9 @@ spec: - issuerURL type: object x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + - message: discoveryURL must be different from issuerURL + rule: 'self.discoveryURL.size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: description: name of the OIDC provider diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml index 50cb0d83385..c2a90d9c9f6 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml @@ -166,30 +166,6 @@ spec: to validate token claims to authenticate users. items: properties: - expressionRule: - description: |- - expressionRule contains the configuration for the "Expression" type. - Must be set if type == "Expression". - properties: - expression: - description: |- - Expression is a CEL expression evaluated against token claims. - The expression must be a non-empty string and no longer than 4096 characters. - This field is required. - maxLength: 4096 - minLength: 1 - type: string - message: - description: |- - Message allows configuring the human-readable message that is returned - from the Kubernetes API server when a token fails validation based on - the CEL expression defined in 'expression'. This field is optional. - maxLength: 256 - minLength: 1 - type: string - required: - - expression - type: object requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. @@ -231,16 +207,6 @@ spec: issuer: description: issuer describes atributes of the OIDC token issuer properties: - audienceMatchPolicy: - description: |- - audienceMatchPolicy specifies how token audiences are matched. - If omitted, the system applies a default policy. - Valid values are: - - "MatchAny": The token is accepted if any of its audiences match any of the configured audiences. - enum: - - MatchAny - - "" - type: string audiences: description: |- audiences is an array of audiences that the token was issued for. @@ -254,22 +220,6 @@ spec: minItems: 1 type: array x-kubernetes-list-type: set - discoveryURL: - maxLength: 2048 - type: string - x-kubernetes-validations: - - message: discoveryURL must be a valid URL - rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' - - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' - - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the @@ -294,11 +244,6 @@ spec: - audiences - issuerURL type: object - x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) - : true' name: description: name of the OIDC provider minLength: 1 @@ -358,34 +303,6 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map - userValidationRules: - items: - description: |- - TokenUserValidationRule provides a CEL-based rule used to validate a token subject. - Each rule contains a CEL expression that is evaluated against the token’s claims. - If the expression evaluates to false, the token is rejected. - See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. - At least one rule must evaluate to true for the token to be considered valid. - properties: - expression: - description: |- - Expression is a CEL expression that must evaluate - to true for the token to be accepted. The expression is evaluated against the token's - user information (e.g., username, groups). This field must be non-empty and may not - exceed 4096 characters. - maxLength: 4096 - minLength: 1 - type: string - message: - description: |- - Message is an optional, human-readable message returned by the API server when - this validation rule fails. It can help clarify why a token was rejected. - type: string - required: - - expression - type: object - type: array - x-kubernetes-list-type: atomic required: - issuer - name diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml index 2a12eec83b4..6aca805ccb7 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml @@ -406,14 +406,24 @@ spec: type: array x-kubernetes-list-type: set discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + as "{url}/.well-known/openid-configuration". + + The discoveryURL must: + - Be a valid absolute URL. + - Use the HTTPS scheme. + - Not contain query parameters, user info, or fragments. + - Be different from the value of `url` (ignoring trailing slashes) maxLength: 2048 type: string x-kubernetes-validations: - message: discoveryURL must be a valid URL rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' + - message: discoveryURL must be a valid https URL + rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() + == ''https'') : true' - message: discoveryURL must not contain query parameters rule: 'self.size() > 0 ? url(self).query == '''' : true' - message: discoveryURL must not contain user info @@ -446,9 +456,9 @@ spec: - issuerURL type: object x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + - message: discoveryURL must be different from issuerURL + rule: 'self.discoveryURL.size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: description: name of the OIDC provider diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml index ccfd29ab983..6d6b226a896 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -406,14 +406,24 @@ spec: type: array x-kubernetes-list-type: set discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + as "{url}/.well-known/openid-configuration". + + The discoveryURL must: + - Be a valid absolute URL. + - Use the HTTPS scheme. + - Not contain query parameters, user info, or fragments. + - Be different from the value of `url` (ignoring trailing slashes) maxLength: 2048 type: string x-kubernetes-validations: - message: discoveryURL must be a valid URL rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' + - message: discoveryURL must be a valid https URL + rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() + == ''https'') : true' - message: discoveryURL must not contain query parameters rule: 'self.size() > 0 ? url(self).query == '''' : true' - message: discoveryURL must not contain user info @@ -446,9 +456,9 @@ spec: - issuerURL type: object x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + - message: discoveryURL must be different from issuerURL + rule: 'self.discoveryURL.size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: description: name of the OIDC provider diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml index 384bf105a9a..0341b036b2e 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml @@ -406,14 +406,24 @@ spec: type: array x-kubernetes-list-type: set discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + as "{url}/.well-known/openid-configuration". + + The discoveryURL must: + - Be a valid absolute URL. + - Use the HTTPS scheme. + - Not contain query parameters, user info, or fragments. + - Be different from the value of `url` (ignoring trailing slashes) maxLength: 2048 type: string x-kubernetes-validations: - message: discoveryURL must be a valid URL rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' + - message: discoveryURL must be a valid https URL + rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() + == ''https'') : true' - message: discoveryURL must not contain query parameters rule: 'self.size() > 0 ? url(self).query == '''' : true' - message: discoveryURL must not contain user info @@ -446,9 +456,9 @@ spec: - issuerURL type: object x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + - message: discoveryURL must be different from issuerURL + rule: 'self.discoveryURL.size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: description: name of the OIDC provider diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml index 9af68271f95..0a437c01d5d 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml @@ -406,14 +406,24 @@ spec: type: array x-kubernetes-list-type: set discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + as "{url}/.well-known/openid-configuration". + + The discoveryURL must: + - Be a valid absolute URL. + - Use the HTTPS scheme. + - Not contain query parameters, user info, or fragments. + - Be different from the value of `url` (ignoring trailing slashes) maxLength: 2048 type: string x-kubernetes-validations: - message: discoveryURL must be a valid URL rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' + - message: discoveryURL must be a valid https URL + rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() + == ''https'') : true' - message: discoveryURL must not contain query parameters rule: 'self.size() > 0 ? url(self).query == '''' : true' - message: discoveryURL must not contain user info @@ -446,9 +456,9 @@ spec: - issuerURL type: object x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + - message: discoveryURL must be different from issuerURL + rule: 'self.discoveryURL.size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: description: name of the OIDC provider diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml index 4799299b92b..86d7bbc7847 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml @@ -406,14 +406,24 @@ spec: type: array x-kubernetes-list-type: set discoveryURL: + description: |- + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint + used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` + as "{url}/.well-known/openid-configuration". + + The discoveryURL must: + - Be a valid absolute URL. + - Use the HTTPS scheme. + - Not contain query parameters, user info, or fragments. + - Be different from the value of `url` (ignoring trailing slashes) maxLength: 2048 type: string x-kubernetes-validations: - message: discoveryURL must be a valid URL rule: 'self.size() > 0 ? isURL(self) : true' - - message: discoveryURL must use https scheme - rule: 'self.size() > 0 ? url(self).scheme == ''https'' - : true' + - message: discoveryURL must be a valid https URL + rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() + == ''https'') : true' - message: discoveryURL must not contain query parameters rule: 'self.size() > 0 ? url(self).query == '''' : true' - message: discoveryURL must not contain user info @@ -446,9 +456,9 @@ spec: - issuerURL type: object x-kubernetes-validations: - - message: discoveryURL must be different from URL - rule: 'self.discoveryURL.size() > 0 ? (self.url.size() == - 0 || self.discoveryURL.find(''^.+[^/]'') != self.url.find(''^.+[^/]'')) + - message: discoveryURL must be different from issuerURL + rule: 'self.discoveryURL.size() > 0 ? (self.issuerURL.size() + == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: description: name of the OIDC provider From d3fdd66eb1c66326763d1ab14aca29c22f47b9d0 Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Tue, 13 May 2025 15:14:49 +0200 Subject: [PATCH 06/12] made adjusments to cover review comments Signed-off-by: Shaza Aldawamneh --- config/v1/types_authentication.go | 6 +++--- ...authentications-Hypershift-CustomNoUpgrade.crd.yaml | 10 +++++----- ...entications-Hypershift-DevPreviewNoUpgrade.crd.yaml | 10 +++++----- ...ntications-Hypershift-TechPreviewNoUpgrade.crd.yaml | 10 +++++----- ...hentications-SelfManagedHA-CustomNoUpgrade.crd.yaml | 10 +++++----- ...ications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml | 10 +++++----- ...cations-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml | 10 +++++----- .../ExternalOIDCWithNewAuthConfigFields.yaml | 10 +++++----- ...authentications-Hypershift-CustomNoUpgrade.crd.yaml | 10 +++++----- ...entications-Hypershift-DevPreviewNoUpgrade.crd.yaml | 10 +++++----- ...ntications-Hypershift-TechPreviewNoUpgrade.crd.yaml | 10 +++++----- ...hentications-SelfManagedHA-CustomNoUpgrade.crd.yaml | 10 +++++----- ...ications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml | 10 +++++----- ...cations-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml | 10 +++++----- 14 files changed, 68 insertions(+), 68 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index faaa25595f9..141a1677ee9 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -316,9 +316,9 @@ type TokenIssuer struct { // +optional // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? isURL(self) : true",message="discoveryURL must be a valid URL" // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? (isURL(self) && url(self).getScheme() == 'https') : true",message="discoveryURL must be a valid https URL" - // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).query == '' : true",message="discoveryURL must not contain query parameters" - // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).user == '' : true",message="discoveryURL must not contain user info" - // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).fragment == '' : true",message="discoveryURL must not contain a fragment" + // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? self.find('?') == null : true",message="discoveryURL must not contain query parameters" + // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? self.find('://') != null && self.find('@') == null : true",message="discoveryURL must not contain user info" + // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? self.find('#') == null : true",message="discoveryURL must not contain fragment" // +kubebuilder:validation:MaxLength=2048 // +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields DiscoveryURL string `json:"discoveryURL,omitempty"` diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml index 42da6638cf4..c22201da985 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml @@ -425,12 +425,12 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' + rule: 'self.size() > 0 ? self.find(''?'') == null : true' - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' + rule: 'self.size() > 0 ? self.find(''://'') != null && + self.find(''@'') == null : true' + - message: discoveryURL must not contain fragment + rule: 'self.size() > 0 ? self.find(''#'') == null : true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml index 6aca805ccb7..100c49cca19 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml @@ -425,12 +425,12 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' + rule: 'self.size() > 0 ? self.find(''?'') == null : true' - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' + rule: 'self.size() > 0 ? self.find(''://'') != null && + self.find(''@'') == null : true' + - message: discoveryURL must not contain fragment + rule: 'self.size() > 0 ? self.find(''#'') == null : true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml index 6d6b226a896..1d6f1e36065 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -425,12 +425,12 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' + rule: 'self.size() > 0 ? self.find(''?'') == null : true' - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' + rule: 'self.size() > 0 ? self.find(''://'') != null && + self.find(''@'') == null : true' + - message: discoveryURL must not contain fragment + rule: 'self.size() > 0 ? self.find(''#'') == null : true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml index 0341b036b2e..c1914aa74a0 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml @@ -425,12 +425,12 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' + rule: 'self.size() > 0 ? self.find(''?'') == null : true' - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' + rule: 'self.size() > 0 ? self.find(''://'') != null && + self.find(''@'') == null : true' + - message: discoveryURL must not contain fragment + rule: 'self.size() > 0 ? self.find(''#'') == null : true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml index 0a437c01d5d..1b3d767fb87 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml @@ -425,12 +425,12 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' + rule: 'self.size() > 0 ? self.find(''?'') == null : true' - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' + rule: 'self.size() > 0 ? self.find(''://'') != null && + self.find(''@'') == null : true' + - message: discoveryURL must not contain fragment + rule: 'self.size() > 0 ? self.find(''#'') == null : true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml index 86d7bbc7847..bc2013e20a9 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml @@ -425,12 +425,12 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' + rule: 'self.size() > 0 ? self.find(''?'') == null : true' - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' + rule: 'self.size() > 0 ? self.find(''://'') != null && + self.find(''@'') == null : true' + - message: discoveryURL must not contain fragment + rule: 'self.size() > 0 ? self.find(''#'') == null : true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml index f9052e7991b..9e15f57ded1 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml @@ -275,12 +275,12 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' + rule: 'self.size() > 0 ? self.find(''?'') == null : true' - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' + rule: 'self.size() > 0 ? self.find(''://'') != null && + self.find(''@'') == null : true' + - message: discoveryURL must not contain fragment + rule: 'self.size() > 0 ? self.find(''#'') == null : true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml index 42da6638cf4..c22201da985 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml @@ -425,12 +425,12 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' + rule: 'self.size() > 0 ? self.find(''?'') == null : true' - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' + rule: 'self.size() > 0 ? self.find(''://'') != null && + self.find(''@'') == null : true' + - message: discoveryURL must not contain fragment + rule: 'self.size() > 0 ? self.find(''#'') == null : true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml index 6aca805ccb7..100c49cca19 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml @@ -425,12 +425,12 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' + rule: 'self.size() > 0 ? self.find(''?'') == null : true' - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' + rule: 'self.size() > 0 ? self.find(''://'') != null && + self.find(''@'') == null : true' + - message: discoveryURL must not contain fragment + rule: 'self.size() > 0 ? self.find(''#'') == null : true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml index 6d6b226a896..1d6f1e36065 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -425,12 +425,12 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' + rule: 'self.size() > 0 ? self.find(''?'') == null : true' - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' + rule: 'self.size() > 0 ? self.find(''://'') != null && + self.find(''@'') == null : true' + - message: discoveryURL must not contain fragment + rule: 'self.size() > 0 ? self.find(''#'') == null : true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml index 0341b036b2e..c1914aa74a0 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml @@ -425,12 +425,12 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' + rule: 'self.size() > 0 ? self.find(''?'') == null : true' - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' + rule: 'self.size() > 0 ? self.find(''://'') != null && + self.find(''@'') == null : true' + - message: discoveryURL must not contain fragment + rule: 'self.size() > 0 ? self.find(''#'') == null : true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml index 0a437c01d5d..1b3d767fb87 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml @@ -425,12 +425,12 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' + rule: 'self.size() > 0 ? self.find(''?'') == null : true' - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' + rule: 'self.size() > 0 ? self.find(''://'') != null && + self.find(''@'') == null : true' + - message: discoveryURL must not contain fragment + rule: 'self.size() > 0 ? self.find(''#'') == null : true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml index 86d7bbc7847..bc2013e20a9 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml @@ -425,12 +425,12 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? url(self).query == '''' : true' + rule: 'self.size() > 0 ? self.find(''?'') == null : true' - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? url(self).user == '''' : true' - - message: discoveryURL must not contain a fragment - rule: 'self.size() > 0 ? url(self).fragment == '''' : - true' + rule: 'self.size() > 0 ? self.find(''://'') != null && + self.find(''@'') == null : true' + - message: discoveryURL must not contain fragment + rule: 'self.size() > 0 ? self.find(''#'') == null : true' issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the From 6e58323d8ded217e9bc273a2ca1b5e953d6913db Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Fri, 16 May 2025 12:33:17 +0200 Subject: [PATCH 07/12] fixing tests Signed-off-by: Shaza Aldawamneh --- config/v1/types_authentication.go | 13 ++++---- ...ations-Hypershift-CustomNoUpgrade.crd.yaml | 13 +++----- ...uthentications-Hypershift-Default.crd.yaml | 32 ++++++++++++++++--- ...ns-Hypershift-DevPreviewNoUpgrade.crd.yaml | 13 +++----- ...s-Hypershift-TechPreviewNoUpgrade.crd.yaml | 13 +++----- ...ons-SelfManagedHA-CustomNoUpgrade.crd.yaml | 13 +++----- ...SelfManagedHA-DevPreviewNoUpgrade.crd.yaml | 13 +++----- ...elfManagedHA-TechPreviewNoUpgrade.crd.yaml | 13 +++----- .../ExternalOIDC.yaml | 32 ++++++++++++++++--- .../ExternalOIDCWithNewAuthConfigFields.yaml | 17 +++++----- ...ernalOIDCWithUIDAndExtraClaimMappings.yaml | 32 ++++++++++++++++--- ...ations-Hypershift-CustomNoUpgrade.crd.yaml | 13 +++----- ...uthentications-Hypershift-Default.crd.yaml | 32 ++++++++++++++++--- ...ns-Hypershift-DevPreviewNoUpgrade.crd.yaml | 13 +++----- ...s-Hypershift-TechPreviewNoUpgrade.crd.yaml | 13 +++----- ...ons-SelfManagedHA-CustomNoUpgrade.crd.yaml | 13 +++----- ...SelfManagedHA-DevPreviewNoUpgrade.crd.yaml | 13 +++----- ...elfManagedHA-TechPreviewNoUpgrade.crd.yaml | 13 +++----- 18 files changed, 175 insertions(+), 139 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index 141a1677ee9..0ed4570664e 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -251,7 +251,6 @@ type OIDCProvider struct { // +optional //+listType=atomic - // +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"` } @@ -314,13 +313,13 @@ type TokenIssuer struct { // - Be different from the value of `url` (ignoring trailing slashes) // // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? isURL(self) : true",message="discoveryURL must be a valid URL" // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? (isURL(self) && url(self).getScheme() == 'https') : true",message="discoveryURL must be a valid https URL" - // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? self.find('?') == null : true",message="discoveryURL must not contain query parameters" - // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? self.find('://') != null && self.find('@') == null : true",message="discoveryURL must not contain user info" - // +kubebuilder:validation:XValidation:rule="self.size() > 0 ? self.find('#') == null : true",message="discoveryURL must not contain fragment" + // +kubebuilder:validation:XValidation:rule="self.matches('^[^?]*$')",message="discoveryURL must not contain query parameters" + // +kubebuilder:validation:XValidation:rule="self.matches('^[^#]*$')",message="discoveryURL must not contain fragments" + // +kubebuilder:validation:XValidation:rule="self.matches('^[^@]*$')",message="discoveryURL must not contain user info" // +kubebuilder:validation:MaxLength=2048 - // +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields DiscoveryURL string `json:"discoveryURL,omitempty"` // audienceMatchPolicy specifies how token audiences are matched. @@ -782,7 +781,7 @@ const ( // If type is Expression, expressionRule must be set. // // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'RequiredClaim' ? has(self.requiredClaim) : !has(self.requiredClaim)",message="requiredClaim must be set when type is 'RequiredClaim', and forbidden otherwise" -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Expression' ? has(self.expressionRule) : !has(self.expressionRule)",message="expressionRule must be set when type is 'Expression', and forbidden otherwise" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithNewAuthConfigFields,rule="has(self.type) && self.type == 'Expression' ? has(self.expressionRule) : !has(self.expressionRule)",message="expressionRule must be set when type is 'Expression', and forbidden otherwise" type TokenClaimValidationRule struct { // type is an optional field that configures the type of the validation rule. @@ -831,6 +830,7 @@ type TokenRequiredClaim struct { RequiredValue string `json:"requiredValue"` } +// +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields type TokenExpressionRule struct { // Expression is a CEL expression evaluated against token claims. // The expression must be a non-empty string and no longer than 4096 characters. @@ -856,6 +856,7 @@ type TokenExpressionRule struct { // If the expression evaluates to false, the token is rejected. // See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. // At least one rule must evaluate to true for the token to be considered valid. +// +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields type TokenUserValidationRule struct { // Expression is a CEL expression that must evaluate // to true for the token to be accepted. The expression is evaluated against the token's diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml index c22201da985..631a60ecd8b 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml @@ -373,10 +373,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -425,12 +421,11 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? self.find(''?'') == null : true' + rule: self.matches('^[^?]*$') + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? self.find(''://'') != null && - self.find(''@'') == null : true' - - message: discoveryURL must not contain fragment - rule: 'self.size() > 0 ? self.find(''#'') == null : true' + rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml index c2a90d9c9f6..c52342acd39 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml @@ -198,10 +198,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -303,6 +299,34 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - issuer - name diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml index 100c49cca19..35a93ad959c 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml @@ -373,10 +373,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -425,12 +421,11 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? self.find(''?'') == null : true' + rule: self.matches('^[^?]*$') + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? self.find(''://'') != null && - self.find(''@'') == null : true' - - message: discoveryURL must not contain fragment - rule: 'self.size() > 0 ? self.find(''#'') == null : true' + rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml index 1d6f1e36065..8f7ca9b741c 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -373,10 +373,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -425,12 +421,11 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? self.find(''?'') == null : true' + rule: self.matches('^[^?]*$') + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? self.find(''://'') != null && - self.find(''@'') == null : true' - - message: discoveryURL must not contain fragment - rule: 'self.size() > 0 ? self.find(''#'') == null : true' + rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml index c1914aa74a0..3a12add701f 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml @@ -373,10 +373,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -425,12 +421,11 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? self.find(''?'') == null : true' + rule: self.matches('^[^?]*$') + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? self.find(''://'') != null && - self.find(''@'') == null : true' - - message: discoveryURL must not contain fragment - rule: 'self.size() > 0 ? self.find(''#'') == null : true' + rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml index 1b3d767fb87..e6df57e4854 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml @@ -373,10 +373,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -425,12 +421,11 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? self.find(''?'') == null : true' + rule: self.matches('^[^?]*$') + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? self.find(''://'') != null && - self.find(''@'') == null : true' - - message: discoveryURL must not contain fragment - rule: 'self.size() > 0 ? self.find(''#'') == null : true' + rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml index bc2013e20a9..f7c5674b54b 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml @@ -373,10 +373,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -425,12 +421,11 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? self.find(''?'') == null : true' + rule: self.matches('^[^?]*$') + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? self.find(''://'') != null && - self.find(''@'') == null : true' - - message: discoveryURL must not contain fragment - rule: 'self.size() > 0 ? self.find(''#'') == null : true' + rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml index d263c4d4265..50ee72358c5 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml @@ -199,10 +199,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -304,6 +300,34 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - issuer - name diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml index 9e15f57ded1..a01218868fe 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml @@ -219,14 +219,14 @@ spec: type: string type: object x-kubernetes-validations: - - message: requiredClaim must be set when type is 'RequiredClaim', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''RequiredClaim'' - ? has(self.requiredClaim) : !has(self.requiredClaim)' - message: expressionRule must be set when type is 'Expression', and forbidden otherwise rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) : !has(self.expressionRule)' + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' type: array x-kubernetes-list-type: atomic issuer: @@ -275,12 +275,11 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? self.find(''?'') == null : true' + rule: self.matches('^[^?]*$') + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? self.find(''://'') != null && - self.find(''@'') == null : true' - - message: discoveryURL must not contain fragment - rule: 'self.size() > 0 ? self.find(''#'') == null : true' + rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index 38d4415ca18..aa1658287c9 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -350,10 +350,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -455,6 +451,34 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - issuer - name diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml index c22201da985..631a60ecd8b 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml @@ -373,10 +373,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -425,12 +421,11 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? self.find(''?'') == null : true' + rule: self.matches('^[^?]*$') + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? self.find(''://'') != null && - self.find(''@'') == null : true' - - message: discoveryURL must not contain fragment - rule: 'self.size() > 0 ? self.find(''#'') == null : true' + rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml index c2a90d9c9f6..c52342acd39 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml @@ -198,10 +198,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -303,6 +299,34 @@ spec: - componentNamespace - componentName x-kubernetes-list-type: map + userValidationRules: + items: + description: |- + TokenUserValidationRule provides a CEL-based rule used to validate a token subject. + Each rule contains a CEL expression that is evaluated against the token’s claims. + If the expression evaluates to false, the token is rejected. + See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. + At least one rule must evaluate to true for the token to be considered valid. + properties: + expression: + description: |- + Expression is a CEL expression that must evaluate + to true for the token to be accepted. The expression is evaluated against the token's + user information (e.g., username, groups). This field must be non-empty and may not + exceed 4096 characters. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + Message is an optional, human-readable message returned by the API server when + this validation rule fails. It can help clarify why a token was rejected. + type: string + required: + - expression + type: object + type: array + x-kubernetes-list-type: atomic required: - issuer - name diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml index 100c49cca19..35a93ad959c 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml @@ -373,10 +373,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -425,12 +421,11 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? self.find(''?'') == null : true' + rule: self.matches('^[^?]*$') + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? self.find(''://'') != null && - self.find(''@'') == null : true' - - message: discoveryURL must not contain fragment - rule: 'self.size() > 0 ? self.find(''#'') == null : true' + rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml index 1d6f1e36065..8f7ca9b741c 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -373,10 +373,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -425,12 +421,11 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? self.find(''?'') == null : true' + rule: self.matches('^[^?]*$') + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? self.find(''://'') != null && - self.find(''@'') == null : true' - - message: discoveryURL must not contain fragment - rule: 'self.size() > 0 ? self.find(''#'') == null : true' + rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml index c1914aa74a0..3a12add701f 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml @@ -373,10 +373,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -425,12 +421,11 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? self.find(''?'') == null : true' + rule: self.matches('^[^?]*$') + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? self.find(''://'') != null && - self.find(''@'') == null : true' - - message: discoveryURL must not contain fragment - rule: 'self.size() > 0 ? self.find(''#'') == null : true' + rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml index 1b3d767fb87..e6df57e4854 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml @@ -373,10 +373,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -425,12 +421,11 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? self.find(''?'') == null : true' + rule: self.matches('^[^?]*$') + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? self.find(''://'') != null && - self.find(''@'') == null : true' - - message: discoveryURL must not contain fragment - rule: 'self.size() > 0 ? self.find(''#'') == null : true' + rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml index bc2013e20a9..f7c5674b54b 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml @@ -373,10 +373,6 @@ spec: and forbidden otherwise rule: 'has(self.type) && self.type == ''RequiredClaim'' ? has(self.requiredClaim) : !has(self.requiredClaim)' - - message: expressionRule must be set when type is 'Expression', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''Expression'' ? has(self.expressionRule) - : !has(self.expressionRule)' type: array x-kubernetes-list-type: atomic issuer: @@ -425,12 +421,11 @@ spec: rule: 'self.size() > 0 ? (isURL(self) && url(self).getScheme() == ''https'') : true' - message: discoveryURL must not contain query parameters - rule: 'self.size() > 0 ? self.find(''?'') == null : true' + rule: self.matches('^[^?]*$') + - message: discoveryURL must not contain fragments + rule: self.matches('^[^#]*$') - message: discoveryURL must not contain user info - rule: 'self.size() > 0 ? self.find(''://'') != null && - self.find(''@'') == null : true' - - message: discoveryURL must not contain fragment - rule: 'self.size() > 0 ? self.find(''#'') == null : true' + rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- CertificateAuthority is a reference to a config map in the From 68078a5581d86d9e32c9ff4b02a5fb826c8dcb79 Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Thu, 18 Sep 2025 10:36:22 +0200 Subject: [PATCH 08/12] REBASING Signed-off-by: Shaza Aldawamneh --- config/v1/types_authentication.go | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index 0ed4570664e..a90f087394a 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -320,7 +320,7 @@ type TokenIssuer struct { // +kubebuilder:validation:XValidation:rule="self.matches('^[^#]*$')",message="discoveryURL must not contain fragments" // +kubebuilder:validation:XValidation:rule="self.matches('^[^@]*$')",message="discoveryURL must not contain user info" // +kubebuilder:validation:MaxLength=2048 - DiscoveryURL string `json:"discoveryURL,omitempty"` + DiscoveryURL *string `json:"discoveryURL,omitempty"` // audienceMatchPolicy specifies how token audiences are matched. // If omitted, the system applies a default policy. @@ -329,7 +329,7 @@ type TokenIssuer struct { // // +optional // +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields - AudienceMatchPolicy AudienceMatchPolicy `json:"audienceMatchPolicy,omitempty"` + AudienceMatchPolicy *AudienceMatchPolicy `json:"audienceMatchPolicy,omitempty"` } // AudienceMatchPolicyType is a set of valid values for Issuer.AudienceMatchPolicy. @@ -801,14 +801,13 @@ type TokenClaimValidationRule struct { // requiredClaim allows configuring a required claim name and its expected value. // RequiredClaim is used when type is RequiredClaim. // +optional - RequiredClaim *TokenRequiredClaim `json:"requiredClaim"` + RequiredClaim TokenRequiredClaim `json:"requiredClaim,omitzero"` // expressionRule contains the configuration for the "Expression" type. // Must be set if type == "Expression". // // +optional - // +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields - ExpressionRule *TokenExpressionRule `json:"expressionRule,omitempty"` + ExpressionRule TokenExpressionRule `json:"expressionRule,omitzero,omitempty"` } type TokenRequiredClaim struct { @@ -832,14 +831,14 @@ type TokenRequiredClaim struct { // +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields type TokenExpressionRule struct { - // Expression is a CEL expression evaluated against token claims. + // expression is a CEL expression evaluated against token claims. // The expression must be a non-empty string and no longer than 4096 characters. // This field is required. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=4096 // +required - Expression string `json:"expression"` + Expression string `json:"expression,omitempty"` // Message allows configuring the human-readable message that is returned // from the Kubernetes API server when a token fails validation based on @@ -858,7 +857,7 @@ type TokenExpressionRule struct { // At least one rule must evaluate to true for the token to be considered valid. // +openshift:enable:FeatureGate=ExternalOIDCWithNewAuthConfigFields type TokenUserValidationRule struct { - // Expression is a CEL expression that must evaluate + // expression is a CEL expression that must evaluate // to true for the token to be accepted. The expression is evaluated against the token's // user information (e.g., username, groups). This field must be non-empty and may not // exceed 4096 characters. @@ -871,5 +870,7 @@ type TokenUserValidationRule struct { // this validation rule fails. It can help clarify why a token was rejected. // // +optional - Message string `json:"message,omitempty"` + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + Message *string `json:"message,omitempty"` } From 64513cf3bc50c0e20ff4e70ab53903f5f3632db0 Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Thu, 18 Sep 2025 11:19:55 +0200 Subject: [PATCH 09/12] REBASING Signed-off-by: Shaza Aldawamneh --- config/v1/types_authentication.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index a90f087394a..7e3e992e207 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -285,7 +285,7 @@ type TokenIssuer struct { // // +listType=set // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MaxItems=263 // +required Audiences []TokenAudience `json:"audiences"` From a7238c71150f29596a935059ef9c886e5c49c76b Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Thu, 18 Sep 2025 12:21:07 +0200 Subject: [PATCH 10/12] REBASING Signed-off-by: Shaza Aldawamneh --- config/v1/types_authentication.go | 10 +- config/v1/zz_generated.deepcopy.go | 10 + .../ExternalOIDC.yaml | 333 +- .../ExternalOIDCWithNewAuthConfigFields.yaml | 257 +- ...ernalOIDCWithUIDAndExtraClaimMappings.yaml | 345 +- .../v1/zz_generated.swagger_doc_generated.go | 279 +- .../generated_openapi/zz_generated.openapi.go | 16010 ++++++++-------- openapi/openapi.json | 3114 +-- 8 files changed, 11161 insertions(+), 9197 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index 7e3e992e207..a8fae842399 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -801,13 +801,13 @@ type TokenClaimValidationRule struct { // requiredClaim allows configuring a required claim name and its expected value. // RequiredClaim is used when type is RequiredClaim. // +optional - RequiredClaim TokenRequiredClaim `json:"requiredClaim,omitzero"` + RequiredClaim *TokenRequiredClaim `json:"requiredClaim,omitempty"` // expressionRule contains the configuration for the "Expression" type. // Must be set if type == "Expression". // // +optional - ExpressionRule TokenExpressionRule `json:"expressionRule,omitzero,omitempty"` + ExpressionRule *TokenExpressionRule `json:"expressionRule,omitempty"` } type TokenRequiredClaim struct { @@ -840,7 +840,7 @@ type TokenExpressionRule struct { // +required Expression string `json:"expression,omitempty"` - // Message allows configuring the human-readable message that is returned + // message allows configuring the human-readable message that is returned // from the Kubernetes API server when a token fails validation based on // the CEL expression defined in 'expression'. This field is optional. // @@ -866,11 +866,11 @@ type TokenUserValidationRule struct { // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=4096 Expression string `json:"expression,omitempty"` - // Message is an optional, human-readable message returned by the API server when + // message is an optional, human-readable message returned by the API server when // this validation rule fails. It can help clarify why a token was rejected. // // +optional // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 - Message *string `json:"message,omitempty"` + Message string `json:"message,omitempty"` } diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index 813defd181b..4a300c62165 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -6299,6 +6299,16 @@ func (in *TokenIssuer) DeepCopyInto(out *TokenIssuer) { copy(*out, *in) } out.CertificateAuthority = in.CertificateAuthority + if in.DiscoveryURL != nil { + in, out := &in.DiscoveryURL, &out.DiscoveryURL + *out = new(string) + **out = **in + } + if in.AudienceMatchPolicy != nil { + in, out := &in.AudienceMatchPolicy, &out.AudienceMatchPolicy + *out = new(AudienceMatchPolicy) + **out = **in + } return } diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml index 50ee72358c5..e26bfa2da4d 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml @@ -80,27 +80,34 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -109,18 +116,33 @@ spec: type: object username: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -128,25 +150,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -161,12 +186,42 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' + required: + - username type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. @@ -178,8 +233,13 @@ spec: minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -188,7 +248,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim - Expression @@ -202,27 +272,36 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string - maxItems: 10 + maxItems: 263 minItems: 1 type: array x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -233,33 +312,77 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + Must be at least 1 character and must not exceed 512 characters in length. + Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. + maxLength: 512 + minLength: 1 type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: must use the 'https' scheme + rule: isURL(self) && url(self).getScheme() == 'https' + - message: must not have a query + rule: isURL(self) && url(self).getQuery() == {} + - message: must not have a fragment + rule: self.find('#(.+)$') == '' + - message: must not have user info + rule: self.find('@') == '' required: - audiences - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -270,21 +393,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -311,7 +447,7 @@ spec: properties: expression: description: |- - Expression is a CEL expression that must evaluate + expression is a CEL expression that must evaluate to true for the token to be accepted. The expression is evaluated against the token's user information (e.g., username, groups). This field must be non-empty and may not exceed 4096 characters. @@ -320,8 +456,10 @@ spec: type: string message: description: |- - Message is an optional, human-readable message returned by the API server when + message is an optional, human-readable message returned by the API server when this validation rule fails. It can help clarify why a token was rejected. + maxLength: 256 + minLength: 1 type: string required: - expression @@ -329,6 +467,7 @@ spec: type: array x-kubernetes-list-type: atomic required: + - claimMappings - issuer - name type: object @@ -452,16 +591,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -535,8 +687,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -548,24 +702,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml index a01218868fe..ceec3852f45 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml @@ -80,27 +80,34 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -109,18 +116,33 @@ spec: type: object username: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -128,25 +150,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -161,10 +186,16 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' + required: + - username type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: expressionRule: @@ -174,7 +205,7 @@ spec: properties: expression: description: |- - Expression is a CEL expression evaluated against token claims. + expression is a CEL expression evaluated against token claims. The expression must be a non-empty string and no longer than 4096 characters. This field is required. maxLength: 4096 @@ -182,7 +213,7 @@ spec: type: string message: description: |- - Message allows configuring the human-readable message that is returned + message allows configuring the human-readable message that is returned from the Kubernetes API server when a token fails validation based on the CEL expression defined in 'expression'. This field is optional. maxLength: 256 @@ -202,8 +233,13 @@ spec: minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -212,7 +248,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim - Expression @@ -230,7 +276,10 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audienceMatchPolicy: description: |- @@ -244,14 +293,15 @@ spec: type: string audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string - maxItems: 10 + maxItems: 263 minItems: 1 type: array x-kubernetes-list-type: set @@ -282,10 +332,15 @@ spec: rule: self.matches('^[^@]*$') issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -296,10 +351,27 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + Must be at least 1 character and must not exceed 512 characters in length. + Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. + maxLength: 512 + minLength: 1 type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: must use the 'https' scheme + rule: isURL(self) && url(self).getScheme() == 'https' + - message: must not have a query + rule: isURL(self) && url(self).getQuery() == {} + - message: must not have a fragment + rule: self.find('#(.+)$') == '' + - message: must not have user info + rule: self.find('@') == '' required: - audiences - issuerURL @@ -310,24 +382,51 @@ spec: == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) : true' name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -338,21 +437,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -379,7 +491,7 @@ spec: properties: expression: description: |- - Expression is a CEL expression that must evaluate + expression is a CEL expression that must evaluate to true for the token to be accepted. The expression is evaluated against the token's user information (e.g., username, groups). This field must be non-empty and may not exceed 4096 characters. @@ -388,8 +500,10 @@ spec: type: string message: description: |- - Message is an optional, human-readable message returned by the API server when + message is an optional, human-readable message returned by the API server when this validation rule fails. It can help clarify why a token was rejected. + maxLength: 256 + minLength: 1 type: string required: - expression @@ -397,6 +511,7 @@ spec: type: array x-kubernetes-list-type: atomic required: + - claimMappings - issuer - name type: object diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index aa1658287c9..8ad8daf0639 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -80,8 +80,9 @@ spec: properties: claimMappings: description: |- - claimMappings describes rules on how to transform information from an - ID token into a cluster identity + claimMappings is a required field that configures the rules to be used by + the Kubernetes API server for translating claims in a JWT token, issued + by the identity provider, to a cluster identity. properties: extra: description: |- @@ -89,7 +90,7 @@ spec: used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. - A maximum of 64 extra attribute mappings may be provided. + A maximum of 32 extra attribute mappings may be provided. items: description: |- ExtraMapping allows specifying a key and CEL expression @@ -170,38 +171,44 @@ spec: For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). - valueExpression must not exceed 4096 characters in length. + valueExpression must not exceed 1024 characters in length. valueExpression must not be empty. - maxLength: 4096 + maxLength: 1024 minLength: 1 type: string required: - key - valueExpression type: object - maxItems: 64 + maxItems: 32 type: array x-kubernetes-list-map-keys: - key x-kubernetes-list-type: map groups: description: |- - groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. + groups is an optional field that configures how the groups of a cluster identity + should be constructed from the claims in a JWT token issued + by the identity provider. + When referencing a claim, if the claim is present in the JWT + token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. type: string prefix: description: |- - prefix is a string to prefix the value from the token in the result of the - claim mapping. + prefix is an optional field that configures the prefix that will be + applied to the cluster identity attribute during the process of mapping + JWT claims to cluster identity attributes. - By default, no prefixing occurs. + When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string @@ -249,8 +256,8 @@ spec: Precisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length - and must not exceed 4096 characters in length. - maxLength: 4096 + and must not exceed 1024 characters in length. + maxLength: 1024 minLength: 1 type: string type: object @@ -260,18 +267,33 @@ spec: rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: description: |- - username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" + username is a required field that configures how the username of a cluster identity + should be constructed from the claims in a JWT token issued by the identity provider. properties: claim: - description: claim is a JWT token claim to be used in - the mapping + description: |- + claim is a required field that configures the JWT token + claim whose value is assigned to the cluster identity + field associated with this mapping. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 type: string prefix: + description: |- + prefix configures the prefix that should be prepended to the value + of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: prefixString: + description: |- + prefixString is a required field that configures the prefix that will + be applied to cluster identity username attribute + during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). minLength: 1 type: string required: @@ -279,25 +301,28 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" + prefixPolicy is an optional field that configures how a prefix should be + applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be + prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + + When set to 'NoPrefix', no prefix will be prepended to the value + of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose + any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim + when the claim is not 'email'. + As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" enum: - "" - NoPrefix @@ -312,12 +337,42 @@ spec: rule: 'has(self.prefixPolicy) && self.prefixPolicy == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)' + required: + - username type: object claimValidationRules: - description: claimValidationRules are rules that are applied - to validate token claims to authenticate users. + description: |- + claimValidationRules is an optional field that configures the rules to + be used by the Kubernetes API server for validating the claims in a JWT + token issued by the identity provider. + + Validation rules are joined via an AND operation. items: properties: + expressionRule: + description: |- + expressionRule contains the configuration for the "Expression" type. + Must be set if type == "Expression". + properties: + expression: + description: |- + expression is a CEL expression evaluated against token claims. + The expression must be a non-empty string and no longer than 4096 characters. + This field is required. + maxLength: 4096 + minLength: 1 + type: string + message: + description: |- + message allows configuring the human-readable message that is returned + from the Kubernetes API server when a token fails validation based on + the CEL expression defined in 'expression'. This field is optional. + maxLength: 256 + minLength: 1 + type: string + required: + - expression + type: object requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. @@ -329,8 +384,13 @@ spec: minLength: 1 type: string requiredValue: - description: requiredValue is the required value for - the claim. + description: |- + requiredValue is a required field that configures the value that 'claim' must + have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token + will be rejected for authentication. + + requiredValue must not be an empty string (""). minLength: 1 type: string required: @@ -339,7 +399,17 @@ spec: type: object type: default: RequiredClaim - description: type sets the type of the validation rule + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are 'RequiredClaim' and omitted (not provided or an empty string). + + When set to 'RequiredClaim', the Kubernetes API server + will be configured to validate that the incoming JWT + contains the required claim and that its value matches + the required value. + + Defaults to 'RequiredClaim'. enum: - RequiredClaim - Expression @@ -353,27 +423,36 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: issuer describes atributes of the OIDC token issuer + description: |- + issuer is a required field that configures how the platform interacts + with the identity provider and how tokens issued from the identity provider + are evaluated by the Kubernetes API server. properties: audiences: description: |- - audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. + audiences is a required field that configures the acceptable audiences + the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. items: minLength: 1 type: string - maxItems: 10 + maxItems: 263 minItems: 1 type: array x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. + issuerCertificateAuthority is an optional field that configures the + certificate authority, used by the Kubernetes API server, to validate + the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config + namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' + key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -384,33 +463,77 @@ spec: type: object issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] + issuerURL is a required field that configures the URL used to issue tokens + by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled + by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + Must be at least 1 character and must not exceed 512 characters in length. + Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. + maxLength: 512 + minLength: 1 type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: must use the 'https' scheme + rule: isURL(self) && url(self).getScheme() == 'https' + - message: must not have a query + rule: isURL(self) && url(self).getQuery() == {} + - message: must not have a fragment + rule: self.find('#(.+)$') == '' + - message: must not have user info + rule: self.find('@') == '' required: - audiences - issuerURL type: object name: - description: name of the OIDC provider + description: |- + name is a required field that configures the unique human-readable identifier + associated with the identity provider. + It is used to distinguish between multiple identity providers + and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients contains configuration for the platform's clients that - need to request tokens from the issuer + oidcClients is an optional field that configures how on-cluster, + platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: + description: |- + OIDCClientConfig configures how platform clients + interact with identity providers as an authentication + method properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that configures the client identifier, from + the identity provider, that the platform component uses for authentication + requests made to the identity provider. + The identity provider must accept this identifier for platform components + to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field + clientSecret is an optional field that configures the client secret used + by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests + to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' + namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private + clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -421,21 +544,34 @@ spec: type: object componentName: description: |- - componentName is the name of the component that is supposed to consume this - client configuration + componentName is a required field that specifies the name of the platform + component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: description: |- - componentNamespace is the namespace of the component that is supposed to consume this - client configuration + componentNamespace is a required field that specifies the namespace in which the + platform component being configured to use the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string extraScopes: - description: extraScopes is an optional set of scopes - to request tokens with. + description: |- + extraScopes is an optional field that configures the extra scopes that should + be requested by the platform component when making authentication requests to the + identity provider. + This is useful if you have configured claim mappings that requires specific + scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. items: type: string type: array @@ -462,7 +598,7 @@ spec: properties: expression: description: |- - Expression is a CEL expression that must evaluate + expression is a CEL expression that must evaluate to true for the token to be accepted. The expression is evaluated against the token's user information (e.g., username, groups). This field must be non-empty and may not exceed 4096 characters. @@ -471,8 +607,10 @@ spec: type: string message: description: |- - Message is an optional, human-readable message returned by the API server when + message is an optional, human-readable message returned by the API server when this validation rule fails. It can help clarify why a token was rejected. + maxLength: 256 + minLength: 1 type: string required: - expression @@ -480,6 +618,7 @@ spec: type: array x-kubernetes-list-type: atomic required: + - claimMappings - issuer - name type: object @@ -603,16 +742,29 @@ spec: oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. items: + description: |- + OIDCClientStatus represents the current state + of platform components and how they interact with + the configured identity providers. properties: componentName: - description: componentName is the name of the component that - will consume a client configuration. + description: |- + componentName is a required field that specifies the name of the platform + component using the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string componentNamespace: - description: componentNamespace is the namespace of the component - that will consume a client configuration. + description: |- + componentNamespace is a required field that specifies the namespace in which the + platform component using the identity provider as an authentication + mode is running. + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. maxLength: 63 minLength: 1 type: string @@ -686,8 +838,10 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is a slice of ServiceAccounts that need to have read - permission on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring + read permissions on the `clientSecret` secret. + + consumingUsers must not exceed 5 entries. items: description: ConsumingUser is an alias for string which we add validation to. Currently only service accounts are supported. @@ -699,24 +853,37 @@ spec: type: array x-kubernetes-list-type: set currentOIDCClients: - description: currentOIDCClients is a list of clients that the - component is currently using. + description: |- + currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: + description: |- + OIDCClientReference is a reference to a platform component + client configuration. properties: clientID: - description: clientID is the identifier of the OIDC client - from the OIDC provider + description: |- + clientID is a required field that specifies the client identifier, from + the identity provider, that the platform component is using for authentication + requests made to the identity provider. + + clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. + issuerURL is a required field that specifies the URL of the identity + provider that this client is configured to make requests against. + + issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: - description: OIDCName refers to the `name` of the provider - from `oidcProviders` + description: |- + oidcProviderName is a required reference to the 'name' of the identity provider + configured in 'oidcProviders' that this client is associated with. + + oidcProviderName must not be an empty string (""). minLength: 1 type: string required: diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 46fb4f6bfab..79b00d81e5c 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -318,7 +318,7 @@ var map_APIServerSpec = map[string]string{ "clientCA": "clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. You usually only have to set this if you have your own PKI you wish to honor client certificates from. The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - ConfigMap.Data[\"ca-bundle.crt\"] - CA bundle.", "additionalCORSAllowedOrigins": "additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth server from JavaScript applications. The values are regular expressions that correspond to the Golang regular expression language.", "encryption": "encryption allows the configuration of encryption of resources at the datastore layer.", - "tlsSecurityProfile": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nIf unset, a default (which may change between releases) is chosen. Note that only Old, Intermediate and Custom profiles are currently supported, and the maximum available minTLSVersion is VersionTLS12.", + "tlsSecurityProfile": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nWhen omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is the Intermediate profile.", "audit": "audit specifies the settings for audit configuration to be applied to all OpenShift-provided API servers in the cluster.", } @@ -399,7 +399,7 @@ func (DeprecatedWebhookTokenAuthenticator) SwaggerDoc() map[string]string { var map_ExtraMapping = map[string]string{ "": "ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token.", "key": "key is a required field that specifies the string to use as the extra attribute key.\n\nkey must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. key must contain the '/' character, separating the domain and path characters. key must not be empty.\n\nThe domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. It must not exceed 253 characters in length. It must start and end with an alphanumeric character. It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, \"kubernetes.io\", \"k8s.io\", and \"openshift.io\".\n\nThe path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length.", - "valueExpression": "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 4096 characters in length. valueExpression must not be empty.", + "valueExpression": "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 1024 characters in length. valueExpression must not be empty.", } func (ExtraMapping) SwaggerDoc() map[string]string { @@ -407,11 +407,12 @@ func (ExtraMapping) SwaggerDoc() map[string]string { } var map_OIDCClientConfig = map[string]string{ - "componentName": "componentName is the name of the component that is supposed to consume this client configuration", - "componentNamespace": "componentNamespace is the namespace of the component that is supposed to consume this client configuration", - "clientID": "clientID is the identifier of the OIDC client from the OIDC provider", - "clientSecret": "clientSecret refers to a secret in the `openshift-config` namespace that contains the client secret in the `clientSecret` key of the `.data` field", - "extraScopes": "extraScopes is an optional set of scopes to request tokens with.", + "": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", + "componentName": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "clientID": "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").", + "clientSecret": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", + "extraScopes": "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.", } func (OIDCClientConfig) SwaggerDoc() map[string]string { @@ -419,9 +420,10 @@ func (OIDCClientConfig) SwaggerDoc() map[string]string { } var map_OIDCClientReference = map[string]string{ - "oidcProviderName": "OIDCName refers to the `name` of the provider from `oidcProviders`", - "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", - "clientID": "clientID is the identifier of the OIDC client from the OIDC provider", + "": "OIDCClientReference is a reference to a platform component client configuration.", + "oidcProviderName": "oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.\n\noidcProviderName must not be an empty string (\"\").", + "issuerURL": "issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.\n\nissuerURL must use the 'https' scheme.", + "clientID": "clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.\n\nclientID must not be empty.", } func (OIDCClientReference) SwaggerDoc() map[string]string { @@ -429,10 +431,11 @@ func (OIDCClientReference) SwaggerDoc() map[string]string { } var map_OIDCClientStatus = map[string]string{ - "componentName": "componentName is the name of the component that will consume a client configuration.", - "componentNamespace": "componentNamespace is the namespace of the component that will consume a client configuration.", - "currentOIDCClients": "currentOIDCClients is a list of clients that the component is currently using.", - "consumingUsers": "consumingUsers is a slice of ServiceAccounts that need to have read permission on the `clientSecret` secret.", + "": "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.", + "componentName": "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", + "consumingUsers": "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.", "conditions": "conditions are used to communicate the state of the `oidcClients` entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.", } @@ -441,11 +444,11 @@ func (OIDCClientStatus) SwaggerDoc() map[string]string { } var map_OIDCProvider = map[string]string{ - "name": "name of the OIDC provider", - "issuer": "issuer describes atributes of the OIDC token issuer", - "oidcClients": "oidcClients contains configuration for the platform's clients that need to request tokens from the issuer", - "claimMappings": "claimMappings describes rules on how to transform information from an ID token into a cluster identity", - "claimValidationRules": "claimValidationRules are rules that are applied to validate token claims to authenticate users.", + "name": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", + "issuer": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", + "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", + "claimMappings": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", + "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", } func (OIDCProvider) SwaggerDoc() map[string]string { @@ -453,7 +456,8 @@ func (OIDCProvider) SwaggerDoc() map[string]string { } var map_PrefixedClaimMapping = map[string]string{ - "prefix": "prefix is a string to prefix the value from the token in the result of the claim mapping.\n\nBy default, no prefixing occurs.\n\nExample: if `prefix` is set to \"myoidc:\"\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + "": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", + "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", } func (PrefixedClaimMapping) SwaggerDoc() map[string]string { @@ -461,7 +465,8 @@ func (PrefixedClaimMapping) SwaggerDoc() map[string]string { } var map_TokenClaimMapping = map[string]string{ - "claim": "claim is a JWT token claim to be used in the mapping", + "": "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", + "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", } func (TokenClaimMapping) SwaggerDoc() map[string]string { @@ -469,10 +474,10 @@ func (TokenClaimMapping) SwaggerDoc() map[string]string { } var map_TokenClaimMappings = map[string]string{ - "username": "username is a name of the claim that should be used to construct usernames for the cluster identity.\n\nDefault value: \"sub\"", - "groups": "groups is a name of the claim that should be used to construct groups for the cluster identity. The referenced claim must use array of strings values.", + "username": "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.", + "groups": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", "uid": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.", - "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 64 extra attribute mappings may be provided.", + "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", } func (TokenClaimMappings) SwaggerDoc() map[string]string { @@ -482,7 +487,7 @@ func (TokenClaimMappings) SwaggerDoc() map[string]string { var map_TokenClaimOrExpressionMapping = map[string]string{ "": "TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities.", "claim": "claim is an optional field for specifying the JWT token claim that is used in the mapping. The value of this claim will be assigned to the field in which this mapping is associated.\n\nPrecisely one of claim or expression must be set. claim must not be specified when expression is set. When specified, claim must be at least 1 character in length and must not exceed 256 characters in length.", - "expression": "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 4096 characters in length.", + "expression": "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length.", } func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string { @@ -490,7 +495,7 @@ func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string { } var map_TokenClaimValidationRule = map[string]string{ - "type": "type sets the type of the validation rule", + "type": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.", "requiredClaim": "requiredClaim allows configuring a required claim name and its expected value. RequiredClaim is used when type is RequiredClaim.", "expressionRule": "expressionRule contains the configuration for the \"Expression\" type. Must be set if type == \"Expression\".", } @@ -500,8 +505,8 @@ func (TokenClaimValidationRule) SwaggerDoc() map[string]string { } var map_TokenExpressionRule = map[string]string{ - "expression": "Expression is a CEL expression evaluated against token claims. The expression must be a non-empty string and no longer than 4096 characters. This field is required.", - "message": "Message allows configuring the human-readable message that is returned from the Kubernetes API server when a token fails validation based on the CEL expression defined in 'expression'. This field is optional.", + "expression": "expression is a CEL expression evaluated against token claims. The expression must be a non-empty string and no longer than 4096 characters. This field is required.", + "message": "message allows configuring the human-readable message that is returned from the Kubernetes API server when a token fails validation based on the CEL expression defined in 'expression'. This field is optional.", } func (TokenExpressionRule) SwaggerDoc() map[string]string { @@ -509,9 +514,9 @@ func (TokenExpressionRule) SwaggerDoc() map[string]string { } var map_TokenIssuer = map[string]string{ - "issuerURL": "URL is the serving URL of the token issuer. Must use the https:// scheme.", - "audiences": "audiences is an array of audiences that the token was issued for. Valid tokens must include at least one of these values in their \"aud\" claim. Must be set to exactly one value.", - "issuerCertificateAuthority": "CertificateAuthority is a reference to a config map in the configuration namespace. The .data of the configMap must contain the \"ca-bundle.crt\" key. If unset, system trust is used instead.", + "issuerURL": "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nMust be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.", + "audiences": "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", + "issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", "discoveryURL": "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `url` as \"{url}/.well-known/openid-configuration\".\n\nThe discoveryURL must:\n - Be a valid absolute URL.\n - Use the HTTPS scheme.\n - Not contain query parameters, user info, or fragments.\n - Be different from the value of `url` (ignoring trailing slashes)", "audienceMatchPolicy": "audienceMatchPolicy specifies how token audiences are matched. If omitted, the system applies a default policy. Valid values are: - \"MatchAny\": The token is accepted if any of its audiences match any of the configured audiences.", } @@ -522,7 +527,7 @@ func (TokenIssuer) SwaggerDoc() map[string]string { var map_TokenRequiredClaim = map[string]string{ "claim": "claim is a name of a required claim. Only claims with string values are supported.", - "requiredValue": "requiredValue is the required value for the claim.", + "requiredValue": "requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. If the value in the JWT claims does not match, the token will be rejected for authentication.\n\nrequiredValue must not be an empty string (\"\").", } func (TokenRequiredClaim) SwaggerDoc() map[string]string { @@ -531,8 +536,8 @@ func (TokenRequiredClaim) SwaggerDoc() map[string]string { var map_TokenUserValidationRule = map[string]string{ "": "TokenUserValidationRule provides a CEL-based rule used to validate a token subject. Each rule contains a CEL expression that is evaluated against the token’s claims. If the expression evaluates to false, the token is rejected. See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax. At least one rule must evaluate to true for the token to be considered valid.", - "expression": "Expression is a CEL expression that must evaluate to true for the token to be accepted. The expression is evaluated against the token's user information (e.g., username, groups). This field must be non-empty and may not exceed 4096 characters.", - "message": "Message is an optional, human-readable message returned by the API server when this validation rule fails. It can help clarify why a token was rejected.", + "expression": "expression is a CEL expression that must evaluate to true for the token to be accepted. The expression is evaluated against the token's user information (e.g., username, groups). This field must be non-empty and may not exceed 4096 characters.", + "message": "message is an optional, human-readable message returned by the API server when this validation rule fails. It can help clarify why a token was rejected.", } func (TokenUserValidationRule) SwaggerDoc() map[string]string { @@ -540,13 +545,24 @@ func (TokenUserValidationRule) SwaggerDoc() map[string]string { } var map_UsernameClaimMapping = map[string]string{ - "prefixPolicy": "prefixPolicy specifies how a prefix should apply.\n\nBy default, claims other than `email` will be prefixed with the issuer URL to prevent naming clashes with other plugins.\n\nSet to \"NoPrefix\" to disable prefixing.\n\nExample:\n (1) `prefix` is set to \"myoidc:\" and `claim` is set to \"username\".\n If the JWT claim `username` contains value `userA`, the resulting\n mapped value will be \"myoidc:userA\".\n (2) `prefix` is set to \"myoidc:\" and `claim` is set to \"email\". If the\n JWT `email` claim contains value \"userA@myoidc.tld\", the resulting\n mapped value will be \"myoidc:userA@myoidc.tld\".\n (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n (a) \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n (b) \"email\": the mapped value will be \"userA@myoidc.tld\"", + "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", + "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", + "prefix": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", } func (UsernameClaimMapping) SwaggerDoc() map[string]string { return map_UsernameClaimMapping } +var map_UsernamePrefix = map[string]string{ + "": "UsernamePrefix configures the string that should be used as a prefix for username claim mappings.", + "prefixString": "prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.\n\nprefixString must not be an empty string (\"\").", +} + +func (UsernamePrefix) SwaggerDoc() map[string]string { + return map_UsernamePrefix +} + var map_WebhookTokenAuthenticator = map[string]string{ "": "webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator", "kubeConfig": "kubeConfig references a secret that contains kube config file data which describes how to access the remote webhook service. The namespace for the referenced secret is openshift-config.\n\nFor further details, see:\n\nhttps://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication\n\nThe key \"kubeConfig\" is used to locate the data. If the secret or expected key is not found, the webhook is not honored. If the specified kube config data is not valid, the webhook is not honored.", @@ -617,8 +633,47 @@ func (ImageLabel) SwaggerDoc() map[string]string { return map_ImageLabel } +var map_ClusterImagePolicy = map[string]string{ + "": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec contains the configuration for the cluster image policy.", + "status": "status contains the observed state of the resource.", +} + +func (ClusterImagePolicy) SwaggerDoc() map[string]string { + return map_ClusterImagePolicy +} + +var map_ClusterImagePolicyList = map[string]string{ + "": "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "items is a list of ClusterImagePolices", +} + +func (ClusterImagePolicyList) SwaggerDoc() map[string]string { + return map_ClusterImagePolicyList +} + +var map_ClusterImagePolicySpec = map[string]string{ + "": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", + "scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "policy": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", +} + +func (ClusterImagePolicySpec) SwaggerDoc() map[string]string { + return map_ClusterImagePolicySpec +} + +var map_ClusterImagePolicyStatus = map[string]string{ + "conditions": "conditions provide details on the status of this API Resource.", +} + +func (ClusterImagePolicyStatus) SwaggerDoc() map[string]string { + return map_ClusterImagePolicyStatus +} + var map_ClusterOperator = map[string]string{ - "": "ClusterOperator is the Custom Resource object which holds the current state of an operator. This object is used by operators to convey their state to the rest of the cluster.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "": "ClusterOperator holds the status of a core or optional OpenShift component managed by the Cluster Version Operator (CVO). This object is used by operators to convey their state to the rest of the cluster. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", "spec": "spec holds configuration that could apply to any operator.", "status": "status holds the information about the state of an operator. It is consistent with status information across the Kubernetes ecosystem.", @@ -746,7 +801,7 @@ var map_ClusterVersionSpec = map[string]string{ "clusterID": "clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal values). This is a required field.", "desiredUpdate": "desiredUpdate is an optional field that indicates the desired value of the cluster version. Setting this value will trigger an upgrade (if the current version does not match the desired version). The set of recommended update values is listed as part of available updates in status, and setting values outside that range may cause the upgrade to fail.\n\nSome of the fields are inter-related with restrictions and meanings described here. 1. image is specified, version is specified, architecture is specified. API validation error. 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version. 3. image is specified, version is not specified, architecture is specified. API validation error. 4. image is specified, version is not specified, architecture is not specified. image is used. 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image. 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image. 7. image is not specified, version is not specified, architecture is specified. API validation error. 8. image is not specified, version is not specified, architecture is not specified. API validation error.\n\nIf an upgrade fails the operator will halt and report status about the failing component. Setting the desired update value back to the previous version will cause a rollback to be attempted. Not all rollbacks will succeed.", "upstream": "upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region.", - "channel": "channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters.", + "channel": "channel is an identifier for explicitly requesting a non-default set of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters.", "capabilities": "capabilities configures the installation of optional, core cluster components. A null value here is identical to an empty object; see the child properties for default semantics.", "signatureStores": "signatureStores contains the upstream URIs to verify release signatures and optional reference to a config map by name containing the PEM-encoded CA bundle.\n\nBy default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually.\n\nA maximum of 32 signature stores may be configured.", "overrides": "overrides is list of overides for components that are managed by cluster version operator. Marking a component unmanaged will prevent the operator from creating or updating the object.", @@ -860,7 +915,7 @@ var map_UpdateHistory = map[string]string{ "version": "version is a semantic version identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty.", "image": "image is a container image location that contains the update. This value is always populated.", "verified": "verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted. Verified does not cover upgradeable checks that depend on the cluster state at the time when the update target was accepted.", - "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overriden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", } func (UpdateHistory) SwaggerDoc() map[string]string { @@ -1181,6 +1236,147 @@ func (ImageDigestMirrors) SwaggerDoc() map[string]string { return map_ImageDigestMirrors } +var map_FulcioCAWithRekor = map[string]string{ + "": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "fulcioCAData": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", + "fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", +} + +func (FulcioCAWithRekor) SwaggerDoc() map[string]string { + return map_FulcioCAWithRekor +} + +var map_ImagePolicy = map[string]string{ + "": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec holds user settable values for configuration", + "status": "status contains the observed state of the resource.", +} + +func (ImagePolicy) SwaggerDoc() map[string]string { + return map_ImagePolicy +} + +var map_ImagePolicyList = map[string]string{ + "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "items is a list of ImagePolicies", +} + +func (ImagePolicyList) SwaggerDoc() map[string]string { + return map_ImagePolicyList +} + +var map_ImagePolicySpec = map[string]string{ + "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", + "scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "policy": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", +} + +func (ImagePolicySpec) SwaggerDoc() map[string]string { + return map_ImagePolicySpec +} + +var map_ImagePolicyStatus = map[string]string{ + "conditions": "conditions provide details on the status of this API Resource. condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.", +} + +func (ImagePolicyStatus) SwaggerDoc() map[string]string { + return map_ImagePolicyStatus +} + +var map_PKI = map[string]string{ + "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", + "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", + "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +} + +func (PKI) SwaggerDoc() map[string]string { + return map_PKI +} + +var map_PKICertificateSubject = map[string]string{ + "": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "email": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email must be a valid email address and at most 320 characters in length.", + "hostname": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", +} + +func (PKICertificateSubject) SwaggerDoc() map[string]string { + return map_PKICertificateSubject +} + +var map_Policy = map[string]string{ + "": "Policy defines the verification policy for the items in the scopes list.", + "rootOfTrust": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + "signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", +} + +func (Policy) SwaggerDoc() map[string]string { + return map_Policy +} + +var map_PolicyFulcioSubject = map[string]string{ + "": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", + "oidcIssuer": "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", + "signedEmail": "signedEmail is a required field holds the email address that the Fulcio certificate is issued for. The signedEmail must be a valid email address and at most 320 characters in length. Example: \"expected-signing-user@example.com\"", +} + +func (PolicyFulcioSubject) SwaggerDoc() map[string]string { + return map_PolicyFulcioSubject +} + +var map_PolicyIdentity = map[string]string{ + "": "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", + "matchPolicy": "matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. Allowed values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". When set to \"MatchRepoDigestOrExact\", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. When set to \"MatchRepository\", the identity in the signature must be in the same repository as the image identity. When set to \"ExactRepository\", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by \"repository\". When set to \"RemapIdentity\", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", + "exactRepository": "exactRepository specifies the repository that must be exactly matched by the identity in the signature. exactRepository is required if matchPolicy is set to \"ExactRepository\". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.", + "remapIdentity": "remapIdentity specifies the prefix remapping rule for verifying image identity. remapIdentity is required if matchPolicy is set to \"RemapIdentity\". It is used to verify that the signature claims a different registry/repository prefix than the original image.", +} + +func (PolicyIdentity) SwaggerDoc() map[string]string { + return map_PolicyIdentity +} + +var map_PolicyMatchExactRepository = map[string]string{ + "repository": "repository is the reference of the image identity to be matched. repository is required if matchPolicy is set to \"ExactRepository\". The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", +} + +func (PolicyMatchExactRepository) SwaggerDoc() map[string]string { + return map_PolicyMatchExactRepository +} + +var map_PolicyMatchRemapIdentity = map[string]string{ + "prefix": "prefix is required if matchPolicy is set to \"RemapIdentity\". prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", + "signedPrefix": "signedPrefix is required if matchPolicy is set to \"RemapIdentity\". signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", +} + +func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { + return map_PolicyMatchRemapIdentity +} + +var map_PolicyRootOfTrust = map[string]string{ + "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", + "policyType": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "publicKey": "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", + "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", + "pki": "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", +} + +func (PolicyRootOfTrust) SwaggerDoc() map[string]string { + return map_PolicyRootOfTrust +} + +var map_PublicKey = map[string]string{ + "": "PublicKey defines the root of trust based on a sigstore public key.", + "keyData": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", +} + +func (PublicKey) SwaggerDoc() map[string]string { + return map_PublicKey +} + var map_ImageTagMirrorSet = map[string]string{ "": "ImageTagMirrorSet holds cluster-wide information about how to handle registry mirror rules on using tag pull specification. When multiple policies are defined, the outcome of the behavior is defined on each field.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -1306,6 +1502,7 @@ var map_AzurePlatformStatus = map[string]string{ "cloudName": "cloudName is the name of the Azure cloud environment which can be used to configure the Azure SDK with the appropriate Azure API endpoints. If empty, the value is equal to `AzurePublicCloud`.", "armEndpoint": "armEndpoint specifies a URL to use for resource management in non-soverign clouds such as Azure Stack.", "resourceTags": "resourceTags is a list of additional tags to apply to Azure resources created for the cluster. See https://docs.microsoft.com/en-us/rest/api/resources/tags for information on tagging Azure resources. Due to limitations on Automation, Content Delivery Network, DNS Azure resources, a maximum of 15 tags may be applied. OpenShift reserves 5 tags for internal use, allowing 10 tags for user configuration.", + "cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", } func (AzurePlatformStatus) SwaggerDoc() map[string]string { @@ -1438,7 +1635,7 @@ var map_GCPPlatformStatus = map[string]string{ "resourceLabels": "resourceLabels is a list of additional labels to apply to GCP resources created for the cluster. See https://cloud.google.com/compute/docs/labeling-resources for information on labeling GCP resources. GCP supports a maximum of 64 labels per resource. OpenShift reserves 32 labels for internal use, allowing 32 labels for user configuration.", "resourceTags": "resourceTags is a list of additional tags to apply to GCP resources created for the cluster. See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on tagging GCP resources. GCP supports a maximum of 50 tags per resource.", "cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", - "serviceEndpoints": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 9.", + "serviceEndpoints": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 11.", } func (GCPPlatformStatus) SwaggerDoc() map[string]string { @@ -1478,7 +1675,7 @@ func (GCPServiceEndpoint) SwaggerDoc() map[string]string { var map_IBMCloudPlatformSpec = map[string]string{ "": "IBMCloudPlatformSpec holds the desired state of the IBMCloud infrastructure provider. This only includes fields that can be modified in the cluster.", - "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", + "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", } func (IBMCloudPlatformSpec) SwaggerDoc() map[string]string { @@ -1492,7 +1689,7 @@ var map_IBMCloudPlatformStatus = map[string]string{ "providerType": "providerType indicates the type of cluster that was created", "cisInstanceCRN": "cisInstanceCRN is the CRN of the Cloud Internet Services instance managing the DNS zone for the cluster's base domain", "dnsInstanceCRN": "dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone for the cluster's base domain", - "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", + "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", } func (IBMCloudPlatformStatus) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 6c4e012605e..88069fe5aca 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -185,6 +185,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.CloudLoadBalancerConfig": schema_openshift_api_config_v1_CloudLoadBalancerConfig(ref), "github.com/openshift/api/config/v1.CloudLoadBalancerIPs": schema_openshift_api_config_v1_CloudLoadBalancerIPs(ref), "github.com/openshift/api/config/v1.ClusterCondition": schema_openshift_api_config_v1_ClusterCondition(ref), + "github.com/openshift/api/config/v1.ClusterImagePolicy": schema_openshift_api_config_v1_ClusterImagePolicy(ref), + "github.com/openshift/api/config/v1.ClusterImagePolicyList": schema_openshift_api_config_v1_ClusterImagePolicyList(ref), + "github.com/openshift/api/config/v1.ClusterImagePolicySpec": schema_openshift_api_config_v1_ClusterImagePolicySpec(ref), + "github.com/openshift/api/config/v1.ClusterImagePolicyStatus": schema_openshift_api_config_v1_ClusterImagePolicyStatus(ref), "github.com/openshift/api/config/v1.ClusterNetworkEntry": schema_openshift_api_config_v1_ClusterNetworkEntry(ref), "github.com/openshift/api/config/v1.ClusterOperator": schema_openshift_api_config_v1_ClusterOperator(ref), "github.com/openshift/api/config/v1.ClusterOperatorList": schema_openshift_api_config_v1_ClusterOperatorList(ref), @@ -237,6 +241,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.FeatureGateSpec": schema_openshift_api_config_v1_FeatureGateSpec(ref), "github.com/openshift/api/config/v1.FeatureGateStatus": schema_openshift_api_config_v1_FeatureGateStatus(ref), "github.com/openshift/api/config/v1.FeatureGateTests": schema_openshift_api_config_v1_FeatureGateTests(ref), + "github.com/openshift/api/config/v1.FulcioCAWithRekor": schema_openshift_api_config_v1_FulcioCAWithRekor(ref), "github.com/openshift/api/config/v1.GCPPlatformSpec": schema_openshift_api_config_v1_GCPPlatformSpec(ref), "github.com/openshift/api/config/v1.GCPPlatformStatus": schema_openshift_api_config_v1_GCPPlatformStatus(ref), "github.com/openshift/api/config/v1.GCPResourceLabel": schema_openshift_api_config_v1_GCPResourceLabel(ref), @@ -267,6 +272,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.ImageDigestMirrors": schema_openshift_api_config_v1_ImageDigestMirrors(ref), "github.com/openshift/api/config/v1.ImageLabel": schema_openshift_api_config_v1_ImageLabel(ref), "github.com/openshift/api/config/v1.ImageList": schema_openshift_api_config_v1_ImageList(ref), + "github.com/openshift/api/config/v1.ImagePolicy": schema_openshift_api_config_v1_ImagePolicy(ref), + "github.com/openshift/api/config/v1.ImagePolicyList": schema_openshift_api_config_v1_ImagePolicyList(ref), + "github.com/openshift/api/config/v1.ImagePolicySpec": schema_openshift_api_config_v1_ImagePolicySpec(ref), + "github.com/openshift/api/config/v1.ImagePolicyStatus": schema_openshift_api_config_v1_ImagePolicyStatus(ref), "github.com/openshift/api/config/v1.ImageSpec": schema_openshift_api_config_v1_ImageSpec(ref), "github.com/openshift/api/config/v1.ImageStatus": schema_openshift_api_config_v1_ImageStatus(ref), "github.com/openshift/api/config/v1.ImageTagMirrorSet": schema_openshift_api_config_v1_ImageTagMirrorSet(ref), @@ -342,8 +351,16 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.OvirtPlatformLoadBalancer": schema_openshift_api_config_v1_OvirtPlatformLoadBalancer(ref), "github.com/openshift/api/config/v1.OvirtPlatformSpec": schema_openshift_api_config_v1_OvirtPlatformSpec(ref), "github.com/openshift/api/config/v1.OvirtPlatformStatus": schema_openshift_api_config_v1_OvirtPlatformStatus(ref), + "github.com/openshift/api/config/v1.PKI": schema_openshift_api_config_v1_PKI(ref), + "github.com/openshift/api/config/v1.PKICertificateSubject": schema_openshift_api_config_v1_PKICertificateSubject(ref), "github.com/openshift/api/config/v1.PlatformSpec": schema_openshift_api_config_v1_PlatformSpec(ref), "github.com/openshift/api/config/v1.PlatformStatus": schema_openshift_api_config_v1_PlatformStatus(ref), + "github.com/openshift/api/config/v1.Policy": schema_openshift_api_config_v1_Policy(ref), + "github.com/openshift/api/config/v1.PolicyFulcioSubject": schema_openshift_api_config_v1_PolicyFulcioSubject(ref), + "github.com/openshift/api/config/v1.PolicyIdentity": schema_openshift_api_config_v1_PolicyIdentity(ref), + "github.com/openshift/api/config/v1.PolicyMatchExactRepository": schema_openshift_api_config_v1_PolicyMatchExactRepository(ref), + "github.com/openshift/api/config/v1.PolicyMatchRemapIdentity": schema_openshift_api_config_v1_PolicyMatchRemapIdentity(ref), + "github.com/openshift/api/config/v1.PolicyRootOfTrust": schema_openshift_api_config_v1_PolicyRootOfTrust(ref), "github.com/openshift/api/config/v1.PowerVSPlatformSpec": schema_openshift_api_config_v1_PowerVSPlatformSpec(ref), "github.com/openshift/api/config/v1.PowerVSPlatformStatus": schema_openshift_api_config_v1_PowerVSPlatformStatus(ref), "github.com/openshift/api/config/v1.PowerVSServiceEndpoint": schema_openshift_api_config_v1_PowerVSServiceEndpoint(ref), @@ -358,6 +375,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.ProxyList": schema_openshift_api_config_v1_ProxyList(ref), "github.com/openshift/api/config/v1.ProxySpec": schema_openshift_api_config_v1_ProxySpec(ref), "github.com/openshift/api/config/v1.ProxyStatus": schema_openshift_api_config_v1_ProxyStatus(ref), + "github.com/openshift/api/config/v1.PublicKey": schema_openshift_api_config_v1_PublicKey(ref), "github.com/openshift/api/config/v1.RegistryLocation": schema_openshift_api_config_v1_RegistryLocation(ref), "github.com/openshift/api/config/v1.RegistrySources": schema_openshift_api_config_v1_RegistrySources(ref), "github.com/openshift/api/config/v1.Release": schema_openshift_api_config_v1_Release(ref), @@ -406,6 +424,9 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.VSpherePlatformTopology": schema_openshift_api_config_v1_VSpherePlatformTopology(ref), "github.com/openshift/api/config/v1.VSpherePlatformVCenterSpec": schema_openshift_api_config_v1_VSpherePlatformVCenterSpec(ref), "github.com/openshift/api/config/v1.WebhookTokenAuthenticator": schema_openshift_api_config_v1_WebhookTokenAuthenticator(ref), + "github.com/openshift/api/config/v1alpha1.AlertmanagerConfig": schema_openshift_api_config_v1alpha1_AlertmanagerConfig(ref), + "github.com/openshift/api/config/v1alpha1.AlertmanagerCustomConfig": schema_openshift_api_config_v1alpha1_AlertmanagerCustomConfig(ref), + "github.com/openshift/api/config/v1alpha1.Audit": schema_openshift_api_config_v1alpha1_Audit(ref), "github.com/openshift/api/config/v1alpha1.Backup": schema_openshift_api_config_v1alpha1_Backup(ref), "github.com/openshift/api/config/v1alpha1.BackupList": schema_openshift_api_config_v1alpha1_BackupList(ref), "github.com/openshift/api/config/v1alpha1.BackupSpec": schema_openshift_api_config_v1alpha1_BackupSpec(ref), @@ -418,6 +439,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.ClusterMonitoringList": schema_openshift_api_config_v1alpha1_ClusterMonitoringList(ref), "github.com/openshift/api/config/v1alpha1.ClusterMonitoringSpec": schema_openshift_api_config_v1alpha1_ClusterMonitoringSpec(ref), "github.com/openshift/api/config/v1alpha1.ClusterMonitoringStatus": schema_openshift_api_config_v1alpha1_ClusterMonitoringStatus(ref), + "github.com/openshift/api/config/v1alpha1.ContainerResource": schema_openshift_api_config_v1alpha1_ContainerResource(ref), "github.com/openshift/api/config/v1alpha1.EtcdBackupSpec": schema_openshift_api_config_v1alpha1_EtcdBackupSpec(ref), "github.com/openshift/api/config/v1alpha1.FulcioCAWithRekor": schema_openshift_api_config_v1alpha1_FulcioCAWithRekor(ref), "github.com/openshift/api/config/v1alpha1.GatherConfig": schema_openshift_api_config_v1alpha1_GatherConfig(ref), @@ -429,6 +451,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.InsightsDataGatherList": schema_openshift_api_config_v1alpha1_InsightsDataGatherList(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherSpec": schema_openshift_api_config_v1alpha1_InsightsDataGatherSpec(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherStatus": schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref), + "github.com/openshift/api/config/v1alpha1.MetricsServerConfig": schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref), "github.com/openshift/api/config/v1alpha1.PKI": schema_openshift_api_config_v1alpha1_PKI(ref), "github.com/openshift/api/config/v1alpha1.PKICertificateSubject": schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref), "github.com/openshift/api/config/v1alpha1.PersistentVolumeClaimReference": schema_openshift_api_config_v1alpha1_PersistentVolumeClaimReference(ref), @@ -570,6 +593,20 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/insights/v1alpha1.PersistentVolumeClaimReference": schema_openshift_api_insights_v1alpha1_PersistentVolumeClaimReference(ref), "github.com/openshift/api/insights/v1alpha1.PersistentVolumeConfig": schema_openshift_api_insights_v1alpha1_PersistentVolumeConfig(ref), "github.com/openshift/api/insights/v1alpha1.Storage": schema_openshift_api_insights_v1alpha1_Storage(ref), + "github.com/openshift/api/insights/v1alpha2.Custom": schema_openshift_api_insights_v1alpha2_Custom(ref), + "github.com/openshift/api/insights/v1alpha2.DataGather": schema_openshift_api_insights_v1alpha2_DataGather(ref), + "github.com/openshift/api/insights/v1alpha2.DataGatherList": schema_openshift_api_insights_v1alpha2_DataGatherList(ref), + "github.com/openshift/api/insights/v1alpha2.DataGatherSpec": schema_openshift_api_insights_v1alpha2_DataGatherSpec(ref), + "github.com/openshift/api/insights/v1alpha2.DataGatherStatus": schema_openshift_api_insights_v1alpha2_DataGatherStatus(ref), + "github.com/openshift/api/insights/v1alpha2.GathererConfig": schema_openshift_api_insights_v1alpha2_GathererConfig(ref), + "github.com/openshift/api/insights/v1alpha2.GathererStatus": schema_openshift_api_insights_v1alpha2_GathererStatus(ref), + "github.com/openshift/api/insights/v1alpha2.Gatherers": schema_openshift_api_insights_v1alpha2_Gatherers(ref), + "github.com/openshift/api/insights/v1alpha2.HealthCheck": schema_openshift_api_insights_v1alpha2_HealthCheck(ref), + "github.com/openshift/api/insights/v1alpha2.InsightsReport": schema_openshift_api_insights_v1alpha2_InsightsReport(ref), + "github.com/openshift/api/insights/v1alpha2.ObjectReference": schema_openshift_api_insights_v1alpha2_ObjectReference(ref), + "github.com/openshift/api/insights/v1alpha2.PersistentVolumeClaimReference": schema_openshift_api_insights_v1alpha2_PersistentVolumeClaimReference(ref), + "github.com/openshift/api/insights/v1alpha2.PersistentVolumeConfig": schema_openshift_api_insights_v1alpha2_PersistentVolumeConfig(ref), + "github.com/openshift/api/insights/v1alpha2.Storage": schema_openshift_api_insights_v1alpha2_Storage(ref), "github.com/openshift/api/kubecontrolplane/v1.AggregatorConfig": schema_openshift_api_kubecontrolplane_v1_AggregatorConfig(ref), "github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerConfig": schema_openshift_api_kubecontrolplane_v1_KubeAPIServerConfig(ref), "github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerImagePolicyConfig": schema_openshift_api_kubecontrolplane_v1_KubeAPIServerImagePolicyConfig(ref), @@ -788,9 +825,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/machine/v1beta1.VSphereMachineProviderSpec": schema_openshift_api_machine_v1beta1_VSphereMachineProviderSpec(ref), "github.com/openshift/api/machine/v1beta1.VSphereMachineProviderStatus": schema_openshift_api_machine_v1beta1_VSphereMachineProviderStatus(ref), "github.com/openshift/api/machine/v1beta1.Workspace": schema_openshift_api_machine_v1beta1_Workspace(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.BuildInputs": schema_openshift_api_machineconfiguration_v1alpha1_BuildInputs(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.BuildOutputs": schema_openshift_api_machineconfiguration_v1alpha1_BuildOutputs(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference": schema_openshift_api_machineconfiguration_v1alpha1_ImageSecretObjectReference(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference": schema_openshift_api_machineconfiguration_v1alpha1_MCOObjectReference(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNode": schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNode(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeList": schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeList(ref), @@ -799,26 +833,11 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatus": schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatus(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusMachineConfigVersion": schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatusMachineConfigVersion(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusPinnedImageSet": schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatusPinnedImageSet(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigPoolReference": schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigPoolReference(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuild": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuild(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildList": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildList(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildSpec": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildSpec(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildStatus": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildStatus(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuilderReference": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuilderReference(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfig": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfig(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigList": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigList(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigReference": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigReference(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigSpec": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigSpec(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigStatus": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigStatus(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSContainerfile": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSContainerfile(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSImageBuilder": schema_openshift_api_machineconfiguration_v1alpha1_MachineOSImageBuilder(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.ObjectReference": schema_openshift_api_machineconfiguration_v1alpha1_ObjectReference(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.PinnedImageRef": schema_openshift_api_machineconfiguration_v1alpha1_PinnedImageRef(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.PinnedImageSet": schema_openshift_api_machineconfiguration_v1alpha1_PinnedImageSet(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.PinnedImageSetList": schema_openshift_api_machineconfiguration_v1alpha1_PinnedImageSetList(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.PinnedImageSetSpec": schema_openshift_api_machineconfiguration_v1alpha1_PinnedImageSetSpec(ref), "github.com/openshift/api/machineconfiguration/v1alpha1.PinnedImageSetStatus": schema_openshift_api_machineconfiguration_v1alpha1_PinnedImageSetStatus(ref), - "github.com/openshift/api/machineconfiguration/v1alpha1.RenderedMachineConfigReference": schema_openshift_api_machineconfiguration_v1alpha1_RenderedMachineConfigReference(ref), "github.com/openshift/api/monitoring/v1.AlertRelabelConfig": schema_openshift_api_monitoring_v1_AlertRelabelConfig(ref), "github.com/openshift/api/monitoring/v1.AlertRelabelConfigList": schema_openshift_api_monitoring_v1_AlertRelabelConfigList(ref), "github.com/openshift/api/monitoring/v1.AlertRelabelConfigSpec": schema_openshift_api_monitoring_v1_AlertRelabelConfigSpec(ref), @@ -1003,6 +1022,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/operator/v1.InsightsOperatorSpec": schema_openshift_api_operator_v1_InsightsOperatorSpec(ref), "github.com/openshift/api/operator/v1.InsightsOperatorStatus": schema_openshift_api_operator_v1_InsightsOperatorStatus(ref), "github.com/openshift/api/operator/v1.InsightsReport": schema_openshift_api_operator_v1_InsightsReport(ref), + "github.com/openshift/api/operator/v1.IrreconcilableValidationOverrides": schema_openshift_api_operator_v1_IrreconcilableValidationOverrides(ref), "github.com/openshift/api/operator/v1.KubeAPIServer": schema_openshift_api_operator_v1_KubeAPIServer(ref), "github.com/openshift/api/operator/v1.KubeAPIServerList": schema_openshift_api_operator_v1_KubeAPIServerList(ref), "github.com/openshift/api/operator/v1.KubeAPIServerSpec": schema_openshift_api_operator_v1_KubeAPIServerSpec(ref), @@ -1183,12 +1203,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/osin/v1.SessionSecret": schema_openshift_api_osin_v1_SessionSecret(ref), "github.com/openshift/api/osin/v1.SessionSecrets": schema_openshift_api_osin_v1_SessionSecrets(ref), "github.com/openshift/api/osin/v1.TokenConfig": schema_openshift_api_osin_v1_TokenConfig(ref), - "github.com/openshift/api/platform/v1alpha1.ActiveBundleDeployment": schema_openshift_api_platform_v1alpha1_ActiveBundleDeployment(ref), - "github.com/openshift/api/platform/v1alpha1.Package": schema_openshift_api_platform_v1alpha1_Package(ref), - "github.com/openshift/api/platform/v1alpha1.PlatformOperator": schema_openshift_api_platform_v1alpha1_PlatformOperator(ref), - "github.com/openshift/api/platform/v1alpha1.PlatformOperatorList": schema_openshift_api_platform_v1alpha1_PlatformOperatorList(ref), - "github.com/openshift/api/platform/v1alpha1.PlatformOperatorSpec": schema_openshift_api_platform_v1alpha1_PlatformOperatorSpec(ref), - "github.com/openshift/api/platform/v1alpha1.PlatformOperatorStatus": schema_openshift_api_platform_v1alpha1_PlatformOperatorStatus(ref), "github.com/openshift/api/project/v1.Project": schema_openshift_api_project_v1_Project(ref), "github.com/openshift/api/project/v1.ProjectList": schema_openshift_api_project_v1_ProjectList(ref), "github.com/openshift/api/project/v1.ProjectRequest": schema_openshift_api_project_v1_ProjectRequest(ref), @@ -1406,6 +1420,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "k8s.io/api/core/v1.NodeSelectorTerm": schema_k8sio_api_core_v1_NodeSelectorTerm(ref), "k8s.io/api/core/v1.NodeSpec": schema_k8sio_api_core_v1_NodeSpec(ref), "k8s.io/api/core/v1.NodeStatus": schema_k8sio_api_core_v1_NodeStatus(ref), + "k8s.io/api/core/v1.NodeSwapStatus": schema_k8sio_api_core_v1_NodeSwapStatus(ref), "k8s.io/api/core/v1.NodeSystemInfo": schema_k8sio_api_core_v1_NodeSystemInfo(ref), "k8s.io/api/core/v1.ObjectFieldSelector": schema_k8sio_api_core_v1_ObjectFieldSelector(ref), "k8s.io/api/core/v1.ObjectReference": schema_k8sio_api_core_v1_ObjectReference(ref), @@ -2525,7 +2540,6 @@ func schema_openshift_api_apps_v1_DeploymentConfigStatus(ref common.ReferenceCal }, }, }, - Required: []string{"latestVersion", "observedGeneration", "replicas", "updatedReplicas", "availableReplicas", "unavailableReplicas"}, }, }, Dependencies: []string{ @@ -5088,7 +5102,6 @@ func schema_openshift_api_authorization_v1_SubjectRulesReviewStatus(ref common.R }, }, }, - Required: []string{"rules"}, }, }, Dependencies: []string{ @@ -5658,7 +5671,6 @@ func schema_openshift_api_build_v1_BuildConfigStatus(ref common.ReferenceCallbac }, }, }, - Required: []string{"lastVersion"}, }, }, Dependencies: []string{ @@ -6368,7 +6380,6 @@ func schema_openshift_api_build_v1_BuildStatus(ref common.ReferenceCallback) com }, }, }, - Required: []string{"phase"}, }, }, Dependencies: []string{ @@ -8532,7 +8543,7 @@ func schema_openshift_api_config_v1_APIServerSpec(ref common.ReferenceCallback) }, "tlsSecurityProfile": { SchemaProps: spec.SchemaProps{ - Description: "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nIf unset, a default (which may change between releases) is chosen. Note that only Old, Intermediate and Custom profiles are currently supported, and the maximum available minTLSVersion is VersionTLS12.", + Description: "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nWhen omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is the Intermediate profile.", Ref: ref("github.com/openshift/api/config/v1.TLSSecurityProfile"), }, }, @@ -8592,6 +8603,7 @@ func schema_openshift_api_config_v1_AWSIngressSpec(ref common.ReferenceCallback) "type": { SchemaProps: spec.SchemaProps{ Description: "type allows user to set a load balancer type. When this field is set the default ingresscontroller will get created using the specified LBType. If this field is not set then the default ingress controller of LBType Classic will be created. Valid values are:\n\n* \"Classic\": A Classic Load Balancer that makes routing decisions at either\n the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See\n the following for additional details:\n\n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb\n\n* \"NLB\": A Network Load Balancer that makes routing decisions at the\n transport layer (TCP/SSL). See the following for additional details:\n\n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb", + Default: "", Type: []string{"string"}, Format: "", }, @@ -9143,6 +9155,7 @@ func schema_openshift_api_config_v1_AuditCustomRule(ref common.ReferenceCallback "profile": { SchemaProps: spec.SchemaProps{ Description: "profile specifies the name of the desired audit policy configuration to be deployed to all OpenShift-provided API servers in the cluster.\n\nThe following profiles are provided: - Default: the existing default policy. - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for write requests (create, update, patch). - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response HTTP payloads for read requests (get, list). - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.\n\nIf unset, the 'Default' profile is used as the default.", + Default: "", Type: []string{"string"}, Format: "", }, @@ -9376,7 +9389,6 @@ func schema_openshift_api_config_v1_AuthenticationStatus(ref common.ReferenceCal }, }, }, - Required: []string{"integratedOAuthMetadata", "oidcClients"}, }, }, Dependencies: []string{ @@ -9450,12 +9462,19 @@ func schema_openshift_api_config_v1_AzurePlatformStatus(ref common.ReferenceCall }, }, }, + "cloudLoadBalancerConfig": { + SchemaProps: spec.SchemaProps{ + Description: "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", + Default: map[string]interface{}{"dnsType": "PlatformDefault"}, + Ref: ref("github.com/openshift/api/config/v1.CloudLoadBalancerConfig"), + }, + }, }, Required: []string{"resourceGroupName"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.AzureResourceTag"}, + "github.com/openshift/api/config/v1.AzureResourceTag", "github.com/openshift/api/config/v1.CloudLoadBalancerConfig"}, } } @@ -10237,40 +10256,11 @@ func schema_openshift_api_config_v1_ClusterCondition(ref common.ReferenceCallbac } } -func schema_openshift_api_config_v1_ClusterNetworkEntry(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_ClusterImagePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "cidr": { - SchemaProps: spec.SchemaProps{ - Description: "The complete block for pod IPs.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "hostPrefix": { - SchemaProps: spec.SchemaProps{ - Description: "The size (prefix) of block to allocate to each node. If this field is not used by the plugin, it can be left unset.", - Type: []string{"integer"}, - Format: "int64", - }, - }, - }, - Required: []string{"cidr"}, - }, - }, - } -} - -func schema_openshift_api_config_v1_ClusterOperator(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterOperator is the Custom Resource object which holds the current state of an operator. This object is used by operators to convey their state to the rest of the cluster.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -10296,32 +10286,32 @@ func schema_openshift_api_config_v1_ClusterOperator(ref common.ReferenceCallback }, "spec": { SchemaProps: spec.SchemaProps{ - Description: "spec holds configuration that could apply to any operator.", + Description: "spec contains the configuration for the cluster image policy.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterOperatorSpec"), + Ref: ref("github.com/openshift/api/config/v1.ClusterImagePolicySpec"), }, }, "status": { SchemaProps: spec.SchemaProps{ - Description: "status holds the information about the state of an operator. It is consistent with status information across the Kubernetes ecosystem.", + Description: "status contains the observed state of the resource.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterOperatorStatus"), + Ref: ref("github.com/openshift/api/config/v1.ClusterImagePolicyStatus"), }, }, }, - Required: []string{"metadata", "spec"}, + Required: []string{"spec"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.ClusterOperatorSpec", "github.com/openshift/api/config/v1.ClusterOperatorStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/config/v1.ClusterImagePolicySpec", "github.com/openshift/api/config/v1.ClusterImagePolicyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_config_v1_ClusterOperatorList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_ClusterImagePolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterOperatorList is a list of OperatorStatus resources.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -10347,12 +10337,13 @@ func schema_openshift_api_config_v1_ClusterOperatorList(ref common.ReferenceCall }, "items": { SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, + Description: "items is a list of ClusterImagePolices", + Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterOperator"), + Ref: ref("github.com/openshift/api/config/v1.ClusterImagePolicy"), }, }, }, @@ -10363,151 +10354,123 @@ func schema_openshift_api_config_v1_ClusterOperatorList(ref common.ReferenceCall }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.ClusterOperator", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + "github.com/openshift/api/config/v1.ClusterImagePolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_config_v1_ClusterOperatorSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_ClusterImagePolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterOperatorSpec is empty for now, but you could imagine holding information like \"pause\".", - Type: []string{"object"}, - }, - }, - } -} - -func schema_openshift_api_config_v1_ClusterOperatorStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterOperatorStatus provides information about the status of the operator.", + Description: "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "conditions": { + "scopes": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge", + "x-kubernetes-list-type": "set", }, }, SchemaProps: spec.SchemaProps{ - Description: "conditions describes the state of the operator's managed and monitored components.", + Description: "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterOperatorStatusCondition"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "versions": { + "policy": { SchemaProps: spec.SchemaProps{ - Description: "versions is a slice of operator and operand version tuples. Operators which manage multiple operands will have multiple operand entries in the array. Available operators must report the version of the operator itself with the name \"operator\". An operator reports a new \"operator\" version when it has rolled out the new version to all of its operands.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.OperandVersion"), - }, + Description: "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.Policy"), + }, + }, + }, + Required: []string{"scopes", "policy"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.Policy"}, + } +} + +func schema_openshift_api_config_v1_ClusterImagePolicyStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", }, + "x-kubernetes-list-type": "map", }, }, - }, - "relatedObjects": { SchemaProps: spec.SchemaProps{ - Description: "relatedObjects is a list of objects that are \"interesting\" or related to this operator. Common uses are: 1. the detailed resource driving the operator 2. operator namespaces 3. operand namespaces", + Description: "conditions provide details on the status of this API Resource.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ObjectReference"), + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), }, }, }, }, }, - "extension": { - SchemaProps: spec.SchemaProps{ - Description: "extension contains any additional status information specific to the operator which owns this status object.", - Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), - }, - }, }, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.ClusterOperatorStatusCondition", "github.com/openshift/api/config/v1.ObjectReference", "github.com/openshift/api/config/v1.OperandVersion", "k8s.io/apimachinery/pkg/runtime.RawExtension"}, + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } -func schema_openshift_api_config_v1_ClusterOperatorStatusCondition(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_ClusterNetworkEntry(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterOperatorStatusCondition represents the state of the operator's managed and monitored components.", + Description: "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "type": { - SchemaProps: spec.SchemaProps{ - Description: "type specifies the aspect reported by this condition.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "status": { + "cidr": { SchemaProps: spec.SchemaProps{ - Description: "status of the condition, one of True, False, Unknown.", + Description: "The complete block for pod IPs.", Default: "", Type: []string{"string"}, Format: "", }, }, - "lastTransitionTime": { - SchemaProps: spec.SchemaProps{ - Description: "lastTransitionTime is the time of the last update to the current status property.", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), - }, - }, - "reason": { - SchemaProps: spec.SchemaProps{ - Description: "reason is the CamelCase reason for the condition's current status.", - Type: []string{"string"}, - Format: "", - }, - }, - "message": { + "hostPrefix": { SchemaProps: spec.SchemaProps{ - Description: "message provides additional information about the current condition. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines.", - Type: []string{"string"}, - Format: "", + Description: "The size (prefix) of block to allocate to each node. If this field is not used by the plugin, it can be left unset.", + Type: []string{"integer"}, + Format: "int64", }, }, }, - Required: []string{"type", "status", "lastTransitionTime"}, + Required: []string{"cidr"}, }, }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, } } -func schema_openshift_api_config_v1_ClusterVersion(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_ClusterOperator(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterVersion is the configuration for the ClusterVersionOperator. This is where parameters related to automatic updates can be set.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "ClusterOperator holds the status of a core or optional OpenShift component managed by the Cluster Version Operator (CVO). This object is used by operators to convey their state to the rest of the cluster. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -10533,125 +10496,362 @@ func schema_openshift_api_config_v1_ClusterVersion(ref common.ReferenceCallback) }, "spec": { SchemaProps: spec.SchemaProps{ - Description: "spec is the desired state of the cluster version - the operator will work to ensure that the desired version is applied to the cluster.", + Description: "spec holds configuration that could apply to any operator.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterVersionSpec"), + Ref: ref("github.com/openshift/api/config/v1.ClusterOperatorSpec"), }, }, "status": { SchemaProps: spec.SchemaProps{ - Description: "status contains information about the available updates and any in-progress updates.", + Description: "status holds the information about the state of an operator. It is consistent with status information across the Kubernetes ecosystem.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ClusterVersionStatus"), + Ref: ref("github.com/openshift/api/config/v1.ClusterOperatorStatus"), }, }, }, - Required: []string{"spec"}, + Required: []string{"metadata", "spec"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.ClusterVersionSpec", "github.com/openshift/api/config/v1.ClusterVersionStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, - } -} - -func schema_openshift_api_config_v1_ClusterVersionCapabilitiesSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterVersionCapabilitiesSpec selects the managed set of optional, core cluster components.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "baselineCapabilitySet": { - SchemaProps: spec.SchemaProps{ - Description: "baselineCapabilitySet selects an initial set of optional capabilities to enable, which can be extended via additionalEnabledCapabilities. If unset, the cluster will choose a default, and the default may change over time. The current default is vCurrent.", - Type: []string{"string"}, - Format: "", - }, - }, - "additionalEnabledCapabilities": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "additionalEnabledCapabilities extends the set of managed capabilities beyond the baseline defined in baselineCapabilitySet. The default is an empty set.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, - }, - }, - } -} - -func schema_openshift_api_config_v1_ClusterVersionCapabilitiesStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterVersionCapabilitiesStatus describes the state of optional, core cluster components.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "enabledCapabilities": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "enabledCapabilities lists all the capabilities that are currently managed.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "knownCapabilities": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "knownCapabilities lists all the capabilities known to the current cluster.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, - }, - }, + "github.com/openshift/api/config/v1.ClusterOperatorSpec", "github.com/openshift/api/config/v1.ClusterOperatorStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_config_v1_ClusterVersionList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_ClusterOperatorList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterVersionList is a list of ClusterVersion resources.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "ClusterOperatorList is a list of OperatorStatus resources.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ClusterOperator"), + }, + }, + }, + }, + }, + }, + Required: []string{"metadata", "items"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ClusterOperator", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_openshift_api_config_v1_ClusterOperatorSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterOperatorSpec is empty for now, but you could imagine holding information like \"pause\".", + Type: []string{"object"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_ClusterOperatorStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterOperatorStatus provides information about the status of the operator.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditions describes the state of the operator's managed and monitored components.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ClusterOperatorStatusCondition"), + }, + }, + }, + }, + }, + "versions": { + SchemaProps: spec.SchemaProps{ + Description: "versions is a slice of operator and operand version tuples. Operators which manage multiple operands will have multiple operand entries in the array. Available operators must report the version of the operator itself with the name \"operator\". An operator reports a new \"operator\" version when it has rolled out the new version to all of its operands.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.OperandVersion"), + }, + }, + }, + }, + }, + "relatedObjects": { + SchemaProps: spec.SchemaProps{ + Description: "relatedObjects is a list of objects that are \"interesting\" or related to this operator. Common uses are: 1. the detailed resource driving the operator 2. operator namespaces 3. operand namespaces", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ObjectReference"), + }, + }, + }, + }, + }, + "extension": { + SchemaProps: spec.SchemaProps{ + Description: "extension contains any additional status information specific to the operator which owns this status object.", + Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ClusterOperatorStatusCondition", "github.com/openshift/api/config/v1.ObjectReference", "github.com/openshift/api/config/v1.OperandVersion", "k8s.io/apimachinery/pkg/runtime.RawExtension"}, + } +} + +func schema_openshift_api_config_v1_ClusterOperatorStatusCondition(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterOperatorStatusCondition represents the state of the operator's managed and monitored components.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type specifies the aspect reported by this condition.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status of the condition, one of True, False, Unknown.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "lastTransitionTime": { + SchemaProps: spec.SchemaProps{ + Description: "lastTransitionTime is the time of the last update to the current status property.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + }, + }, + "reason": { + SchemaProps: spec.SchemaProps{ + Description: "reason is the CamelCase reason for the condition's current status.", + Type: []string{"string"}, + Format: "", + }, + }, + "message": { + SchemaProps: spec.SchemaProps{ + Description: "message provides additional information about the current condition. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"type", "status", "lastTransitionTime"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, + } +} + +func schema_openshift_api_config_v1_ClusterVersion(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterVersion is the configuration for the ClusterVersionOperator. This is where parameters related to automatic updates can be set.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "spec is the desired state of the cluster version - the operator will work to ensure that the desired version is applied to the cluster.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ClusterVersionSpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status contains information about the available updates and any in-progress updates.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ClusterVersionStatus"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ClusterVersionSpec", "github.com/openshift/api/config/v1.ClusterVersionStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_config_v1_ClusterVersionCapabilitiesSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterVersionCapabilitiesSpec selects the managed set of optional, core cluster components.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "baselineCapabilitySet": { + SchemaProps: spec.SchemaProps{ + Description: "baselineCapabilitySet selects an initial set of optional capabilities to enable, which can be extended via additionalEnabledCapabilities. If unset, the cluster will choose a default, and the default may change over time. The current default is vCurrent.", + Type: []string{"string"}, + Format: "", + }, + }, + "additionalEnabledCapabilities": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "additionalEnabledCapabilities extends the set of managed capabilities beyond the baseline defined in baselineCapabilitySet. The default is an empty set.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, + }, + }, + } +} + +func schema_openshift_api_config_v1_ClusterVersionCapabilitiesStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterVersionCapabilitiesStatus describes the state of optional, core cluster components.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "enabledCapabilities": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "enabledCapabilities lists all the capabilities that are currently managed.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "knownCapabilities": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "knownCapabilities lists all the capabilities known to the current cluster.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, + }, + }, + } +} + +func schema_openshift_api_config_v1_ClusterVersionList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterVersionList is a list of ClusterVersion resources.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -10727,7 +10927,7 @@ func schema_openshift_api_config_v1_ClusterVersionSpec(ref common.ReferenceCallb }, "channel": { SchemaProps: spec.SchemaProps{ - Description: "channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters.", + Description: "channel is an identifier for explicitly requesting a non-default set of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters.", Type: []string{"string"}, Format: "", }, @@ -10913,7 +11113,7 @@ func schema_openshift_api_config_v1_ClusterVersionStatus(ref common.ReferenceCal }, }, }, - Required: []string{"desired", "observedGeneration", "versionHash", "capabilities", "availableUpdates"}, + Required: []string{"desired", "observedGeneration", "versionHash", "availableUpdates"}, }, }, Dependencies: []string{ @@ -11464,7 +11664,6 @@ func schema_openshift_api_config_v1_ConsoleStatus(ref common.ReferenceCallback) }, }, }, - Required: []string{"consoleURL"}, }, }, } @@ -12153,7 +12352,7 @@ func schema_openshift_api_config_v1_ExtraMapping(ref common.ReferenceCallback) c }, "valueExpression": { SchemaProps: spec.SchemaProps{ - Description: "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 4096 characters in length. valueExpression must not be empty.", + Description: "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 1024 characters in length. valueExpression must not be empty.", Default: "", Type: []string{"string"}, Format: "", @@ -12468,7 +12667,6 @@ func schema_openshift_api_config_v1_FeatureGateStatus(ref common.ReferenceCallba }, }, }, - Required: []string{"featureGates"}, }, }, Dependencies: []string{ @@ -12513,6 +12711,43 @@ func schema_openshift_api_config_v1_FeatureGateTests(ref common.ReferenceCallbac } } +func schema_openshift_api_config_v1_FulcioCAWithRekor(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "fulcioCAData": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "rekorKeyData": { + SchemaProps: spec.SchemaProps{ + Description: "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "fulcioSubject": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.PolicyFulcioSubject"), + }, + }, + }, + Required: []string{"fulcioCAData", "rekorKeyData", "fulcioSubject"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PolicyFulcioSubject"}, + } +} + func schema_openshift_api_config_v1_GCPPlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -12608,7 +12843,7 @@ func schema_openshift_api_config_v1_GCPPlatformStatus(ref common.ReferenceCallba }, }, SchemaProps: spec.SchemaProps{ - Description: "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 9.", + Description: "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 11.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -13201,7 +13436,7 @@ func schema_openshift_api_config_v1_IBMCloudPlatformSpec(ref common.ReferenceCal }, }, SchemaProps: spec.SchemaProps{ - Description: "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", + Description: "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -13273,7 +13508,7 @@ func schema_openshift_api_config_v1_IBMCloudPlatformStatus(ref common.ReferenceC }, }, SchemaProps: spec.SchemaProps{ - Description: "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", + Description: "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -13948,6 +14183,187 @@ func schema_openshift_api_config_v1_ImageList(ref common.ReferenceCallback) comm } } +func schema_openshift_api_config_v1_ImagePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "spec holds user settable values for configuration", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ImagePolicySpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status contains the observed state of the resource.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ImagePolicyStatus"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ImagePolicySpec", "github.com/openshift/api/config/v1.ImagePolicyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_config_v1_ImagePolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Description: "items is a list of ImagePolicies", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ImagePolicy"), + }, + }, + }, + }, + }, + }, + Required: []string{"metadata", "items"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ImagePolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_openshift_api_config_v1_ImagePolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicySpec is the specification of the ImagePolicy CRD.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "scopes": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "policy": { + SchemaProps: spec.SchemaProps{ + Description: "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.Policy"), + }, + }, + }, + Required: []string{"scopes", "policy"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.Policy"}, + } +} + +func schema_openshift_api_config_v1_ImagePolicyStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditions provide details on the status of this API Resource. condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + } +} + func schema_openshift_api_config_v1_ImageSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -14458,7 +14874,6 @@ func schema_openshift_api_config_v1_InfrastructureStatus(ref common.ReferenceCal "infrastructureTopology": { SchemaProps: spec.SchemaProps{ Description: "infrastructureTopology expresses the expectations for infrastructure services that do not run on control plane nodes, usually indicated by a node selector for a `role` value other than `master`. The default is 'HighlyAvailable', which represents the behavior operators have in a \"normal\" cluster. The 'SingleReplica' mode will be used in single-node deployments and the operators should not configure the operand for highly-available operation NOTE: External topology mode is not applicable for this field.", - Default: "", Type: []string{"string"}, Format: "", }, @@ -14472,7 +14887,6 @@ func schema_openshift_api_config_v1_InfrastructureStatus(ref common.ReferenceCal }, }, }, - Required: []string{"infrastructureName", "etcdDiscoveryDomain", "apiServerURL", "apiServerInternalURI", "controlPlaneTopology", "infrastructureTopology"}, }, }, Dependencies: []string{ @@ -16461,11 +16875,12 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "componentName": { SchemaProps: spec.SchemaProps{ - Description: "componentName is the name of the component that is supposed to consume this client configuration", + Description: "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", Default: "", Type: []string{"string"}, Format: "", @@ -16473,7 +16888,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, "componentNamespace": { SchemaProps: spec.SchemaProps{ - Description: "componentNamespace is the namespace of the component that is supposed to consume this client configuration", + Description: "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", Default: "", Type: []string{"string"}, Format: "", @@ -16481,7 +16896,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, "clientID": { SchemaProps: spec.SchemaProps{ - Description: "clientID is the identifier of the OIDC client from the OIDC provider", + Description: "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").", Default: "", Type: []string{"string"}, Format: "", @@ -16489,7 +16904,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, "clientSecret": { SchemaProps: spec.SchemaProps{ - Description: "clientSecret refers to a secret in the `openshift-config` namespace that contains the client secret in the `clientSecret` key of the `.data` field", + Description: "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.SecretNameReference"), }, @@ -16501,7 +16916,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, }, SchemaProps: spec.SchemaProps{ - Description: "extraScopes is an optional set of scopes to request tokens with.", + Description: "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -16515,7 +16930,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, }, }, - Required: []string{"componentName", "componentNamespace", "clientID", "clientSecret", "extraScopes"}, + Required: []string{"componentName", "componentNamespace", "clientID"}, }, }, Dependencies: []string{ @@ -16527,11 +16942,12 @@ func schema_openshift_api_config_v1_OIDCClientReference(ref common.ReferenceCall return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "OIDCClientReference is a reference to a platform component client configuration.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "oidcProviderName": { SchemaProps: spec.SchemaProps{ - Description: "OIDCName refers to the `name` of the provider from `oidcProviders`", + Description: "oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.\n\noidcProviderName must not be an empty string (\"\").", Default: "", Type: []string{"string"}, Format: "", @@ -16539,7 +16955,7 @@ func schema_openshift_api_config_v1_OIDCClientReference(ref common.ReferenceCall }, "issuerURL": { SchemaProps: spec.SchemaProps{ - Description: "URL is the serving URL of the token issuer. Must use the https:// scheme.", + Description: "issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.\n\nissuerURL must use the 'https' scheme.", Default: "", Type: []string{"string"}, Format: "", @@ -16547,7 +16963,7 @@ func schema_openshift_api_config_v1_OIDCClientReference(ref common.ReferenceCall }, "clientID": { SchemaProps: spec.SchemaProps{ - Description: "clientID is the identifier of the OIDC client from the OIDC provider", + Description: "clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.\n\nclientID must not be empty.", Default: "", Type: []string{"string"}, Format: "", @@ -16564,11 +16980,12 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "componentName": { SchemaProps: spec.SchemaProps{ - Description: "componentName is the name of the component that will consume a client configuration.", + Description: "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", Default: "", Type: []string{"string"}, Format: "", @@ -16576,7 +16993,7 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac }, "componentNamespace": { SchemaProps: spec.SchemaProps{ - Description: "componentNamespace is the namespace of the component that will consume a client configuration.", + Description: "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", Default: "", Type: []string{"string"}, Format: "", @@ -16593,7 +17010,7 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac }, }, SchemaProps: spec.SchemaProps{ - Description: "currentOIDCClients is a list of clients that the component is currently using.", + Description: "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -16612,7 +17029,7 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac }, }, SchemaProps: spec.SchemaProps{ - Description: "consumingUsers is a slice of ServiceAccounts that need to have read permission on the `clientSecret` secret.", + Description: "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -16648,7 +17065,7 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac }, }, }, - Required: []string{"componentName", "componentNamespace", "currentOIDCClients", "consumingUsers"}, + Required: []string{"componentName", "componentNamespace"}, }, }, Dependencies: []string{ @@ -16664,7 +17081,7 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c Properties: map[string]spec.Schema{ "name": { SchemaProps: spec.SchemaProps{ - Description: "name of the OIDC provider", + Description: "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", Default: "", Type: []string{"string"}, Format: "", @@ -16672,7 +17089,7 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c }, "issuer": { SchemaProps: spec.SchemaProps{ - Description: "issuer describes atributes of the OIDC token issuer", + Description: "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.TokenIssuer"), }, @@ -16688,7 +17105,7 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c }, }, SchemaProps: spec.SchemaProps{ - Description: "oidcClients contains configuration for the platform's clients that need to request tokens from the issuer", + Description: "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -16702,7 +17119,7 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c }, "claimMappings": { SchemaProps: spec.SchemaProps{ - Description: "claimMappings describes rules on how to transform information from an ID token into a cluster identity", + Description: "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.TokenClaimMappings"), }, @@ -16714,7 +17131,7 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c }, }, SchemaProps: spec.SchemaProps{ - Description: "claimValidationRules are rules that are applied to validate token claims to authenticate users.", + Description: "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -16745,7 +17162,7 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c }, }, }, - Required: []string{"name", "issuer", "oidcClients", "claimMappings"}, + Required: []string{"name", "issuer", "claimMappings"}, }, }, Dependencies: []string{ @@ -17520,6 +17937,70 @@ func schema_openshift_api_config_v1_OvirtPlatformStatus(ref common.ReferenceCall } } +func schema_openshift_api_config_v1_PKI(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "caRootsData": { + SchemaProps: spec.SchemaProps{ + Description: "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "caIntermediatesData": { + SchemaProps: spec.SchemaProps{ + Description: "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "pkiCertificateSubject": { + SchemaProps: spec.SchemaProps{ + Description: "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.PKICertificateSubject"), + }, + }, + }, + Required: []string{"caRootsData", "pkiCertificateSubject"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PKICertificateSubject"}, + } +} + +func schema_openshift_api_config_v1_PKICertificateSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "email": { + SchemaProps: spec.SchemaProps{ + Description: "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email must be a valid email address and at most 320 characters in length.", + Type: []string{"string"}, + Format: "", + }, + }, + "hostname": { + SchemaProps: spec.SchemaProps{ + Description: "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_openshift_api_config_v1_PlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -17736,6 +18217,220 @@ func schema_openshift_api_config_v1_PlatformStatus(ref common.ReferenceCallback) } } +func schema_openshift_api_config_v1_Policy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Policy defines the verification policy for the items in the scopes list.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "rootOfTrust": { + SchemaProps: spec.SchemaProps{ + Description: "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.PolicyRootOfTrust"), + }, + }, + "signedIdentity": { + SchemaProps: spec.SchemaProps{ + Description: "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", + Ref: ref("github.com/openshift/api/config/v1.PolicyIdentity"), + }, + }, + }, + Required: []string{"rootOfTrust"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PolicyIdentity", "github.com/openshift/api/config/v1.PolicyRootOfTrust"}, + } +} + +func schema_openshift_api_config_v1_PolicyFulcioSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "oidcIssuer": { + SchemaProps: spec.SchemaProps{ + Description: "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "signedEmail": { + SchemaProps: spec.SchemaProps{ + Description: "signedEmail is a required field holds the email address that the Fulcio certificate is issued for. The signedEmail must be a valid email address and at most 320 characters in length. Example: \"expected-signing-user@example.com\"", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"oidcIssuer", "signedEmail"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_PolicyIdentity(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "matchPolicy": { + SchemaProps: spec.SchemaProps{ + Description: "matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. Allowed values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". When set to \"MatchRepoDigestOrExact\", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. When set to \"MatchRepository\", the identity in the signature must be in the same repository as the image identity. When set to \"ExactRepository\", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by \"repository\". When set to \"RemapIdentity\", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "exactRepository": { + SchemaProps: spec.SchemaProps{ + Description: "exactRepository specifies the repository that must be exactly matched by the identity in the signature. exactRepository is required if matchPolicy is set to \"ExactRepository\". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.", + Ref: ref("github.com/openshift/api/config/v1.PolicyMatchExactRepository"), + }, + }, + "remapIdentity": { + SchemaProps: spec.SchemaProps{ + Description: "remapIdentity specifies the prefix remapping rule for verifying image identity. remapIdentity is required if matchPolicy is set to \"RemapIdentity\". It is used to verify that the signature claims a different registry/repository prefix than the original image.", + Ref: ref("github.com/openshift/api/config/v1.PolicyMatchRemapIdentity"), + }, + }, + }, + Required: []string{"matchPolicy"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "matchPolicy", + "fields-to-discriminateBy": map[string]interface{}{ + "exactRepository": "PolicyMatchExactRepository", + "remapIdentity": "PolicyMatchRemapIdentity", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PolicyMatchExactRepository", "github.com/openshift/api/config/v1.PolicyMatchRemapIdentity"}, + } +} + +func schema_openshift_api_config_v1_PolicyMatchExactRepository(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "repository": { + SchemaProps: spec.SchemaProps{ + Description: "repository is the reference of the image identity to be matched. repository is required if matchPolicy is set to \"ExactRepository\". The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"repository"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_PolicyMatchRemapIdentity(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "prefix": { + SchemaProps: spec.SchemaProps{ + Description: "prefix is required if matchPolicy is set to \"RemapIdentity\". prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "signedPrefix": { + SchemaProps: spec.SchemaProps{ + Description: "signedPrefix is required if matchPolicy is set to \"RemapIdentity\". signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"prefix", "signedPrefix"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_PolicyRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PolicyRootOfTrust defines the root of trust based on the selected policyType.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "policyType": { + SchemaProps: spec.SchemaProps{ + Description: "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "publicKey": { + SchemaProps: spec.SchemaProps{ + Description: "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", + Ref: ref("github.com/openshift/api/config/v1.PublicKey"), + }, + }, + "fulcioCAWithRekor": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", + Ref: ref("github.com/openshift/api/config/v1.FulcioCAWithRekor"), + }, + }, + "pki": { + SchemaProps: spec.SchemaProps{ + Description: "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", + Ref: ref("github.com/openshift/api/config/v1.PKI"), + }, + }, + }, + Required: []string{"policyType"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "policyType", + "fields-to-discriminateBy": map[string]interface{}{ + "fulcioCAWithRekor": "FulcioCAWithRekor", + "pki": "PKI", + "publicKey": "PublicKey", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.FulcioCAWithRekor", "github.com/openshift/api/config/v1.PKI", "github.com/openshift/api/config/v1.PublicKey"}, + } +} + func schema_openshift_api_config_v1_PowerVSPlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -17883,11 +18578,12 @@ func schema_openshift_api_config_v1_PrefixedClaimMapping(ref common.ReferenceCal return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "claim": { SchemaProps: spec.SchemaProps{ - Description: "claim is a JWT token claim to be used in the mapping", + Description: "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", Default: "", Type: []string{"string"}, Format: "", @@ -17895,14 +18591,14 @@ func schema_openshift_api_config_v1_PrefixedClaimMapping(ref common.ReferenceCal }, "prefix": { SchemaProps: spec.SchemaProps{ - Description: "prefix is a string to prefix the value from the token in the result of the claim mapping.\n\nBy default, no prefixing occurs.\n\nExample: if `prefix` is set to \"myoidc:\"\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + Description: "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"claim", "prefix"}, + Required: []string{"claim"}, }, }, } @@ -18285,6 +18981,34 @@ func schema_openshift_api_config_v1_ProxyStatus(ref common.ReferenceCallback) co } } +func schema_openshift_api_config_v1_PublicKey(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PublicKey defines the root of trust based on a sigstore public key.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "keyData": { + SchemaProps: spec.SchemaProps{ + Description: "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "rekorKeyData": { + SchemaProps: spec.SchemaProps{ + Description: "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + }, + Required: []string{"keyData"}, + }, + }, + } +} + func schema_openshift_api_config_v1_RegistryLocation(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -19374,11 +20098,12 @@ func schema_openshift_api_config_v1_TokenClaimMapping(ref common.ReferenceCallba return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "claim": { SchemaProps: spec.SchemaProps{ - Description: "claim is a JWT token claim to be used in the mapping", + Description: "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", Default: "", Type: []string{"string"}, Format: "", @@ -19399,14 +20124,14 @@ func schema_openshift_api_config_v1_TokenClaimMappings(ref common.ReferenceCallb Properties: map[string]spec.Schema{ "username": { SchemaProps: spec.SchemaProps{ - Description: "username is a name of the claim that should be used to construct usernames for the cluster identity.\n\nDefault value: \"sub\"", + Description: "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.UsernameClaimMapping"), }, }, "groups": { SchemaProps: spec.SchemaProps{ - Description: "groups is a name of the claim that should be used to construct groups for the cluster identity. The referenced claim must use array of strings values.", + Description: "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.PrefixedClaimMapping"), }, @@ -19427,7 +20152,7 @@ func schema_openshift_api_config_v1_TokenClaimMappings(ref common.ReferenceCallb }, }, SchemaProps: spec.SchemaProps{ - Description: "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 64 extra attribute mappings may be provided.", + Description: "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -19440,6 +20165,7 @@ func schema_openshift_api_config_v1_TokenClaimMappings(ref common.ReferenceCallb }, }, }, + Required: []string{"username"}, }, }, Dependencies: []string{ @@ -19463,7 +20189,7 @@ func schema_openshift_api_config_v1_TokenClaimOrExpressionMapping(ref common.Ref }, "expression": { SchemaProps: spec.SchemaProps{ - Description: "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 4096 characters in length.", + Description: "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length.", Type: []string{"string"}, Format: "", }, @@ -19482,7 +20208,7 @@ func schema_openshift_api_config_v1_TokenClaimValidationRule(ref common.Referenc Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type sets the type of the validation rule", + Description: "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.", Default: "", Type: []string{"string"}, Format: "", @@ -19552,15 +20278,14 @@ func schema_openshift_api_config_v1_TokenExpressionRule(ref common.ReferenceCall Properties: map[string]spec.Schema{ "expression": { SchemaProps: spec.SchemaProps{ - Description: "Expression is a CEL expression evaluated against token claims. The expression must be a non-empty string and no longer than 4096 characters. This field is required.", - Default: "", + Description: "expression is a CEL expression evaluated against token claims. The expression must be a non-empty string and no longer than 4096 characters. This field is required.", Type: []string{"string"}, Format: "", }, }, "message": { SchemaProps: spec.SchemaProps{ - Description: "Message allows configuring the human-readable message that is returned from the Kubernetes API server when a token fails validation based on the CEL expression defined in 'expression'. This field is optional.", + Description: "message allows configuring the human-readable message that is returned from the Kubernetes API server when a token fails validation based on the CEL expression defined in 'expression'. This field is optional.", Type: []string{"string"}, Format: "", }, @@ -19580,7 +20305,7 @@ func schema_openshift_api_config_v1_TokenIssuer(ref common.ReferenceCallback) co Properties: map[string]spec.Schema{ "issuerURL": { SchemaProps: spec.SchemaProps{ - Description: "URL is the serving URL of the token issuer. Must use the https:// scheme.", + Description: "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nMust be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.", Default: "", Type: []string{"string"}, Format: "", @@ -19593,7 +20318,7 @@ func schema_openshift_api_config_v1_TokenIssuer(ref common.ReferenceCallback) co }, }, SchemaProps: spec.SchemaProps{ - Description: "audiences is an array of audiences that the token was issued for. Valid tokens must include at least one of these values in their \"aud\" claim. Must be set to exactly one value.", + Description: "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -19608,7 +20333,7 @@ func schema_openshift_api_config_v1_TokenIssuer(ref common.ReferenceCallback) co }, "issuerCertificateAuthority": { SchemaProps: spec.SchemaProps{ - Description: "CertificateAuthority is a reference to a config map in the configuration namespace. The .data of the configMap must contain the \"ca-bundle.crt\" key. If unset, system trust is used instead.", + Description: "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.ConfigMapNameReference"), }, @@ -19628,7 +20353,7 @@ func schema_openshift_api_config_v1_TokenIssuer(ref common.ReferenceCallback) co }, }, }, - Required: []string{"issuerURL", "audiences", "issuerCertificateAuthority"}, + Required: []string{"issuerURL", "audiences"}, }, }, Dependencies: []string{ @@ -19652,7 +20377,7 @@ func schema_openshift_api_config_v1_TokenRequiredClaim(ref common.ReferenceCallb }, "requiredValue": { SchemaProps: spec.SchemaProps{ - Description: "requiredValue is the required value for the claim.", + Description: "requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. If the value in the JWT claims does not match, the token will be rejected for authentication.\n\nrequiredValue must not be an empty string (\"\").", Default: "", Type: []string{"string"}, Format: "", @@ -19674,14 +20399,14 @@ func schema_openshift_api_config_v1_TokenUserValidationRule(ref common.Reference Properties: map[string]spec.Schema{ "expression": { SchemaProps: spec.SchemaProps{ - Description: "Expression is a CEL expression that must evaluate to true for the token to be accepted. The expression is evaluated against the token's user information (e.g., username, groups). This field must be non-empty and may not exceed 4096 characters.", + Description: "expression is a CEL expression that must evaluate to true for the token to be accepted. The expression is evaluated against the token's user information (e.g., username, groups). This field must be non-empty and may not exceed 4096 characters.", Type: []string{"string"}, Format: "", }, }, "message": { SchemaProps: spec.SchemaProps{ - Description: "Message is an optional, human-readable message returned by the API server when this validation rule fails. It can help clarify why a token was rejected.", + Description: "message is an optional, human-readable message returned by the API server when this validation rule fails. It can help clarify why a token was rejected.", Type: []string{"string"}, Format: "", }, @@ -19791,7 +20516,7 @@ func schema_openshift_api_config_v1_UpdateHistory(ref common.ReferenceCallback) }, "acceptedRisks": { SchemaProps: spec.SchemaProps{ - Description: "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overriden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + Description: "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", Type: []string{"string"}, Format: "", }, @@ -19813,7 +20538,7 @@ func schema_openshift_api_config_v1_UsernameClaimMapping(ref common.ReferenceCal Properties: map[string]spec.Schema{ "claim": { SchemaProps: spec.SchemaProps{ - Description: "claim is a JWT token claim to be used in the mapping", + Description: "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", Default: "", Type: []string{"string"}, Format: "", @@ -19821,19 +20546,34 @@ func schema_openshift_api_config_v1_UsernameClaimMapping(ref common.ReferenceCal }, "prefixPolicy": { SchemaProps: spec.SchemaProps{ - Description: "prefixPolicy specifies how a prefix should apply.\n\nBy default, claims other than `email` will be prefixed with the issuer URL to prevent naming clashes with other plugins.\n\nSet to \"NoPrefix\" to disable prefixing.\n\nExample:\n (1) `prefix` is set to \"myoidc:\" and `claim` is set to \"username\".\n If the JWT claim `username` contains value `userA`, the resulting\n mapped value will be \"myoidc:userA\".\n (2) `prefix` is set to \"myoidc:\" and `claim` is set to \"email\". If the\n JWT `email` claim contains value \"userA@myoidc.tld\", the resulting\n mapped value will be \"myoidc:userA@myoidc.tld\".\n (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n (a) \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n (b) \"email\": the mapped value will be \"userA@myoidc.tld\"", + Description: "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", Default: "", Type: []string{"string"}, Format: "", + Enum: []interface{}{}, }, }, "prefix": { SchemaProps: spec.SchemaProps{ - Ref: ref("github.com/openshift/api/config/v1.UsernamePrefix"), + Description: "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", + Ref: ref("github.com/openshift/api/config/v1.UsernamePrefix"), + }, + }, + }, + Required: []string{"claim"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "prefixPolicy", + "fields-to-discriminateBy": map[string]interface{}{ + "claim": "Claim", + "prefix": "Prefix", + }, }, }, }, - Required: []string{"claim", "prefixPolicy", "prefix"}, }, }, Dependencies: []string{ @@ -19845,13 +20585,15 @@ func schema_openshift_api_config_v1_UsernamePrefix(ref common.ReferenceCallback) return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "UsernamePrefix configures the string that should be used as a prefix for username claim mappings.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "prefixString": { SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Description: "prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.\n\nprefixString must not be an empty string (\"\").", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, @@ -20540,6 +21282,185 @@ func schema_openshift_api_config_v1_WebhookTokenAuthenticator(ref common.Referen } } +func schema_openshift_api_config_v1alpha1_AlertmanagerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "alertmanagerConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "deploymentMode": { + SchemaProps: spec.SchemaProps{ + Description: "deploymentMode determines whether the default Alertmanager instance should be deployed as part of the monitoring stack. Allowed values are Disabled, DefaultConfig, and CustomConfig. When set to Disabled, the Alertmanager instance will not be deployed. When set to DefaultConfig, the platform will deploy Alertmanager with default settings. When set to CustomConfig, the Alertmanager will be deployed with custom configuration.", + Type: []string{"string"}, + Format: "", + }, + }, + "customConfig": { + SchemaProps: spec.SchemaProps{ + Description: "customConfig must be set when deploymentMode is CustomConfig, and must be unset otherwise. When set to CustomConfig, the Alertmanager will be deployed with custom configuration.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.AlertmanagerCustomConfig"), + }, + }, + }, + Required: []string{"deploymentMode"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.AlertmanagerCustomConfig"}, + } +} + +func schema_openshift_api_config_v1alpha1_AlertmanagerCustomConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "logLevel": { + SchemaProps: spec.SchemaProps{ + Description: "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", + Type: []string{"string"}, + Format: "", + }, + }, + "nodeSelector": { + SchemaProps: spec.SchemaProps{ + Description: "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "resources": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.ContainerResource"), + }, + }, + }, + }, + }, + "secrets": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret- and mounted at /etc/alertmanager/secrets/ within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "tolerations": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.Toleration"), + }, + }, + }, + }, + }, + "topologySpreadConstraints": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "topologyKey", + "whenUnsatisfiable", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.TopologySpreadConstraint"), + }, + }, + }, + }, + }, + "volumeClaimTemplate": { + SchemaProps: spec.SchemaProps{ + Description: "volumeClaimTemplate Defines persistent storage for Alertmanager. Use this setting to configure the persistent volume claim, including storage class, volume size, and name. If omitted, the Pod uses ephemeral storage and alert data will not persist across restarts. This field is optional.", + Ref: ref("k8s.io/api/core/v1.PersistentVolumeClaim"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.ContainerResource", "k8s.io/api/core/v1.PersistentVolumeClaim", "k8s.io/api/core/v1.Toleration", "k8s.io/api/core/v1.TopologySpreadConstraint"}, + } +} + +func schema_openshift_api_config_v1alpha1_Audit(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Audit profile configurations", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "profile": { + SchemaProps: spec.SchemaProps{ + Description: "profile is a required field for configuring the audit log level of the Kubernetes Metrics Server. Allowed values are None, Metadata, Request, or RequestResponse. When set to None, audit logging is disabled and no audit events are recorded. When set to Metadata, only request metadata (such as requesting user, timestamp, resource, verb, etc.) is logged, but not the request or response body. When set to Request, event metadata and the request body are logged, but not the response body. When set to RequestResponse, event metadata, request body, and response body are all logged, providing the most detailed audit information.\n\nSee: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy for more information about auditing and log levels.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"profile"}, + }, + }, + } +} + func schema_openshift_api_config_v1alpha1_Backup(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -20963,17 +21884,30 @@ func schema_openshift_api_config_v1alpha1_ClusterMonitoringSpec(ref common.Refer Properties: map[string]spec.Schema{ "userDefined": { SchemaProps: spec.SchemaProps{ - Description: "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring.", + Description: "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. userDefined is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `Disabled`.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1alpha1.UserDefinedMonitoring"), }, }, + "alertmanagerConfig": { + SchemaProps: spec.SchemaProps{ + Description: "alertmanagerConfig allows users to configure how the default Alertmanager instance should be deployed in the `openshift-monitoring` namespace. alertmanagerConfig is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `DefaultConfig`.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.AlertmanagerConfig"), + }, + }, + "metricsServerConfig": { + SchemaProps: spec.SchemaProps{ + Description: "metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.MetricsServerConfig"), + }, + }, }, - Required: []string{"userDefined"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.UserDefinedMonitoring"}, + "github.com/openshift/api/config/v1alpha1.AlertmanagerConfig", "github.com/openshift/api/config/v1alpha1.MetricsServerConfig", "github.com/openshift/api/config/v1alpha1.UserDefinedMonitoring"}, } } @@ -20981,10 +21915,45 @@ func schema_openshift_api_config_v1alpha1_ClusterMonitoringStatus(ref common.Ref return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MonitoringOperatorStatus defines the observed state of MonitoringOperator", + Description: "ClusterMonitoringStatus defines the observed state of ClusterMonitoring", + Type: []string{"object"}, + }, + }, + } +} + +func schema_openshift_api_config_v1alpha1_ContainerResource(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ContainerResource defines a single resource requirement for a container.", Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name of the resource (e.g. \"cpu\", \"memory\", \"hugepages-2Mi\"). This field is required. name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character.", + Type: []string{"string"}, + Format: "", + }, + }, + "request": { + SchemaProps: spec.SchemaProps{ + Description: "request is the minimum amount of the resource required (e.g. \"2Mi\", \"1Gi\"). This field is optional. When limit is specified, request cannot be greater than limit.", + Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), + }, + }, + "limit": { + SchemaProps: spec.SchemaProps{ + Description: "limit is the maximum amount of the resource allowed (e.g. \"2Mi\", \"1Gi\"). This field is optional. When request is specified, limit cannot be less than request. The value must be greater than 0 when specified.", + Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), + }, + }, + }, + Required: []string{"name"}, }, }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/api/resource.Quantity"}, } } @@ -21426,6 +22395,115 @@ func schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref common.Re } } +func schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "MetricsServerConfig provides configuration options for the Metrics Server instance that runs in the `openshift-monitoring` namespace. Use this configuration to control how the Metrics Server instance is deployed, how it logs, and how its pods are scheduled.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "audit": { + SchemaProps: spec.SchemaProps{ + Description: "audit defines the audit configuration used by the Metrics Server instance. audit is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default sets audit.profile to Metadata", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.Audit"), + }, + }, + "nodeSelector": { + SchemaProps: spec.SchemaProps{ + Description: "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "tolerations": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.Toleration"), + }, + }, + }, + }, + }, + "verbosity": { + SchemaProps: spec.SchemaProps{ + Description: "verbosity defines the verbosity of log messages for Metrics Server. Valid values are Errors, Info, Trace, TraceAll and omitted. When set to Errors, only critical messages and errors are logged. When set to Info, only basic information messages are logged. When set to Trace, information useful for general debugging is logged. When set to TraceAll, detailed information about metric scraping is logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Errors`", + Type: []string{"string"}, + Format: "", + }, + }, + "resources": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.ContainerResource"), + }, + }, + }, + }, + }, + "topologySpreadConstraints": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "topologyKey", + "whenUnsatisfiable", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.TopologySpreadConstraint"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.Audit", "github.com/openshift/api/config/v1alpha1.ContainerResource", "k8s.io/api/core/v1.Toleration", "k8s.io/api/core/v1.TopologySpreadConstraint"}, + } +} + func schema_openshift_api_config_v1alpha1_PKI(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -21710,7 +22788,7 @@ func schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref common.Reference Properties: map[string]spec.Schema{ "policyType": { SchemaProps: spec.SchemaProps{ - Description: "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + Description: "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", Default: "", Type: []string{"string"}, Format: "", @@ -21795,6 +22873,7 @@ func schema_openshift_api_config_v1alpha1_RetentionNumberConfig(ref common.Refer "maxNumberOfBackups": { SchemaProps: spec.SchemaProps{ Description: "maxNumberOfBackups defines the maximum number of backups to retain. If the existing number of backups saved is equal to MaxNumberOfBackups then the oldest backup will be removed before a new backup is initiated.", + Default: 0, Type: []string{"integer"}, Format: "int32", }, @@ -21866,6 +22945,7 @@ func schema_openshift_api_config_v1alpha1_RetentionSizeConfig(ref common.Referen "maxSizeOfBackupsGb": { SchemaProps: spec.SchemaProps{ Description: "maxSizeOfBackupsGb defines the total size in GB of backups to retain. If the current total size backups exceeds MaxSizeOfBackupsGb then the oldest backup will be removed before a new backup is initiated.", + Default: 0, Type: []string{"integer"}, Format: "int32", }, @@ -21916,7 +22996,7 @@ func schema_openshift_api_config_v1alpha1_UserDefinedMonitoring(ref common.Refer Properties: map[string]spec.Schema{ "mode": { SchemaProps: spec.SchemaProps{ - Description: "mode defines the different configurations of UserDefinedMonitoring Valid values are Disabled and NamespaceIsolated Disabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. NamespaceIsolated enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level.\n\nPossible enum values:\n - `\"Disabled\"` disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces.\n - `\"NamespaceIsolated\"` enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level.", + Description: "mode defines the different configurations of UserDefinedMonitoring Valid values are Disabled and NamespaceIsolated Disabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. NamespaceIsolated enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level. The current default value is `Disabled`.\n\nPossible enum values:\n - `\"Disabled\"` disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces.\n - `\"NamespaceIsolated\"` enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level.", Default: "", Type: []string{"string"}, Format: "", @@ -23267,7 +24347,6 @@ func schema_openshift_api_console_v1_ConsolePluginService(ref common.ReferenceCa "basePath": { SchemaProps: spec.SchemaProps{ Description: "basePath is the path to the plugin's assets. The primary asset it the manifest file called `plugin-manifest.json`, which is a JSON document that contains metadata about the plugin and the extensions.", - Default: "", Type: []string{"string"}, Format: "", }, @@ -24287,6 +25366,7 @@ func schema_openshift_api_example_v1_CELUnion(ref common.ReferenceCallback) comm "type": { SchemaProps: spec.SchemaProps{ Description: "type determines which of the union members should be populated.", + Default: "", Type: []string{"string"}, Format: "", }, @@ -24334,6 +25414,7 @@ func schema_openshift_api_example_v1_EvolvingUnion(ref common.ReferenceCallback) "type": { SchemaProps: spec.SchemaProps{ Description: "type is the discriminator. It has different values for Default and for TechPreviewNoUpgrade", + Default: "", Type: []string{"string"}, Format: "", }, @@ -26385,7 +27466,6 @@ func schema_openshift_api_image_v1_ImageStreamStatus(ref common.ReferenceCallbac }, }, }, - Required: []string{"dockerImageRepository"}, }, }, Dependencies: []string{ @@ -27768,34 +28848,49 @@ func schema_openshift_api_insights_v1alpha1_Storage(ref common.ReferenceCallback } } -func schema_openshift_api_kubecontrolplane_v1_AggregatorConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_insights_v1alpha2_Custom(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AggregatorConfig holds information required to make the aggregator function.", + Description: "custom provides the custom configuration of gatherers", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "proxyClientInfo": { + "configs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "proxyClientInfo specifies the client cert/key to use when proxying to aggregated API servers", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.CertInfo"), + Description: "configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. It may not exceed 100 items and each gatherer can be present only once. It is possible to disable an entire set of gatherers while allowing a specific function within that set. The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/insights/v1alpha2.GathererConfig"), + }, + }, + }, }, }, }, - Required: []string{"proxyClientInfo"}, + Required: []string{"configs"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.CertInfo"}, + "github.com/openshift/api/insights/v1alpha2.GathererConfig"}, } } -func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_insights_v1alpha2_DataGather(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "DataGather provides data gather configuration options and status for the particular Insights data gathering.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -27812,198 +28907,106 @@ func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerConfig(ref common.Ref Format: "", }, }, - "servingInfo": { - SchemaProps: spec.SchemaProps{ - Description: "servingInfo describes how to start serving", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.HTTPServingInfo"), - }, - }, - "corsAllowedOrigins": { - SchemaProps: spec.SchemaProps{ - Description: "corsAllowedOrigins", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "auditConfig": { - SchemaProps: spec.SchemaProps{ - Description: "auditConfig describes how to configure audit information", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.AuditConfig"), - }, - }, - "storageConfig": { - SchemaProps: spec.SchemaProps{ - Description: "storageConfig contains information about how to use", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.EtcdStorageConfig"), - }, - }, - "admission": { - SchemaProps: spec.SchemaProps{ - Description: "admissionConfig holds information about how to configure admission.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.AdmissionConfig"), - }, - }, - "kubeClientConfig": { - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.KubeClientConfig"), - }, - }, - "authConfig": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "authConfig configures authentication options in addition to the standard oauth token and client certificate authenticators", + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.MasterAuthConfig"), + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, - "aggregatorConfig": { + "spec": { SchemaProps: spec.SchemaProps{ - Description: "aggregatorConfig has options for configuring the aggregator component of the API server.", + Description: "spec holds user settable values for configuration", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.AggregatorConfig"), + Ref: ref("github.com/openshift/api/insights/v1alpha2.DataGatherSpec"), }, }, - "kubeletClientInfo": { + "status": { SchemaProps: spec.SchemaProps{ - Description: "kubeletClientInfo contains information about how to connect to kubelets", + Description: "status holds observed values from the cluster. They may not be overridden.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeletConnectionInfo"), - }, - }, - "servicesSubnet": { - SchemaProps: spec.SchemaProps{ - Description: "servicesSubnet is the subnet to use for assigning service IPs", - Default: "", - Type: []string{"string"}, - Format: "", + Ref: ref("github.com/openshift/api/insights/v1alpha2.DataGatherStatus"), }, }, - "servicesNodePortRange": { + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/insights/v1alpha2.DataGatherSpec", "github.com/openshift/api/insights/v1alpha2.DataGatherStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_insights_v1alpha2_DataGatherList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "DataGatherList is a collection of items\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { SchemaProps: spec.SchemaProps{ - Description: "servicesNodePortRange is the range to use for assigning service public ports on a host.", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "consolePublicURL": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "DEPRECATED: consolePublicURL has been deprecated and setting it has no effect.", - Default: "", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - "userAgentMatchingConfig": { - SchemaProps: spec.SchemaProps{ - Description: "userAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchingConfig"), - }, - }, - "imagePolicyConfig": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "imagePolicyConfig feeds the image policy admission plugin", + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerImagePolicyConfig"), + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), }, }, - "projectConfig": { - SchemaProps: spec.SchemaProps{ - Description: "projectConfig feeds an admission plugin", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerProjectConfig"), + "items": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, }, - }, - "serviceAccountPublicKeyFiles": { SchemaProps: spec.SchemaProps{ - Description: "serviceAccountPublicKeyFiles is a list of files, each containing a PEM-encoded public RSA key. (If any file contains a private key, the public portion of the key is used) The list of public keys is used to verify presented service account tokens. Each key is tried in order until the list is exhausted or verification succeeds. If no keys are specified, no service account authentication will be available.", + Description: "items contains a list of DataGather resources.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "oauthConfig": { - SchemaProps: spec.SchemaProps{ - Description: "oauthConfig, if present start the /oauth endpoint in this process", - Ref: ref("github.com/openshift/api/osin/v1.OAuthConfig"), - }, - }, - "apiServerArguments": { - SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/insights/v1alpha2.DataGather"), }, }, }, }, }, - "minimumKubeletVersion": { - SchemaProps: spec.SchemaProps{ - Description: "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, }, - Required: []string{"servingInfo", "corsAllowedOrigins", "auditConfig", "storageConfig", "admission", "kubeClientConfig", "authConfig", "aggregatorConfig", "kubeletClientInfo", "servicesSubnet", "servicesNodePortRange", "consolePublicURL", "userAgentMatchingConfig", "imagePolicyConfig", "projectConfig", "serviceAccountPublicKeyFiles", "oauthConfig", "apiServerArguments"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.AdmissionConfig", "github.com/openshift/api/config/v1.AuditConfig", "github.com/openshift/api/config/v1.EtcdStorageConfig", "github.com/openshift/api/config/v1.HTTPServingInfo", "github.com/openshift/api/config/v1.KubeClientConfig", "github.com/openshift/api/kubecontrolplane/v1.AggregatorConfig", "github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerImagePolicyConfig", "github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerProjectConfig", "github.com/openshift/api/kubecontrolplane/v1.KubeletConnectionInfo", "github.com/openshift/api/kubecontrolplane/v1.MasterAuthConfig", "github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchingConfig", "github.com/openshift/api/osin/v1.OAuthConfig"}, + "github.com/openshift/api/insights/v1alpha2.DataGather", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerImagePolicyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_insights_v1alpha2_DataGatherSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "DataGatherSpec contains the configuration for the DataGather.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "internalRegistryHostname": { - SchemaProps: spec.SchemaProps{ - Description: "internalRegistryHostname sets the hostname for the default internal image registry. The value must be in \"hostname[:port]\" format.", - Default: "", - Type: []string{"string"}, - Format: "", + "dataPolicy": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, }, - }, - "externalRegistryHostnames": { SchemaProps: spec.SchemaProps{ - Description: "externalRegistryHostnames provides the hostnames for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The first value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in \"hostname[:port]\" format.", + Description: "dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. It may not exceed 2 items and must not contain duplicates. Valid values are ObfuscateNetworking and WorkloadNames. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. When omitted no obfuscation is applied.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -28016,609 +29019,491 @@ func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerImagePolicyConfig(ref }, }, }, - }, - Required: []string{"internalRegistryHostname", "externalRegistryHostnames"}, - }, - }, - } -} - -func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerProjectConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "defaultNodeSelector": { + "gatherers": { SchemaProps: spec.SchemaProps{ - Description: "defaultNodeSelector holds default project node label selector", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "gatherers is an optional field that specifies the configuration of the gatherers. If omitted, all gatherers will be run.", + Ref: ref("github.com/openshift/api/insights/v1alpha2.Gatherers"), + }, + }, + "storage": { + SchemaProps: spec.SchemaProps{ + Description: "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", + Ref: ref("github.com/openshift/api/insights/v1alpha2.Storage"), }, }, }, - Required: []string{"defaultNodeSelector"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/insights/v1alpha2.Gatherers", "github.com/openshift/api/insights/v1alpha2.Storage"}, } } -func schema_openshift_api_kubecontrolplane_v1_KubeControllerManagerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_insights_v1alpha2_DataGatherStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "DataGatherStatus contains information relating to the DataGather state.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", + Description: "conditions is an optional field that provides details on the status of the gatherer job. It may not exceed 100 items and must not contain duplicates.\n\nThe current condition types are DataUploaded, DataRecorded, DataProcessed, RemoteConfigurationNotAvailable, RemoteConfigurationInvalid\n\nThe DataUploaded condition is used to represent whether or not the archive was successfully uploaded for further processing. When it has a status of True and a reason of Succeeded, the archive was successfully uploaded. When it has a status of Unknown and a reason of NoUploadYet, the upload has not occurred, or there was no data to upload. When it has a status of False and a reason Failed, the upload failed. The accompanying message will include the specific error encountered.\n\nThe DataRecorded condition is used to represent whether or not the archive was successfully recorded. When it has a status of True and a reason of Succeeded, the archive was recorded successfully. When it has a status of Unknown and a reason of NoDataGatheringYet, the data gathering process has not started yet. When it has a status of False and a reason of RecordingFailed, the recording failed and a message will include the specific error encountered.\n\nThe DataProcessed condition is used to represent whether or not the archive was processed by the processing service. When it has a status of True and a reason of Processed, the data was processed successfully. When it has a status of Unknown and a reason of NothingToProcessYet, there is no data to process at the moment. When it has a status of False and a reason of Failure, processing failed and a message will include the specific error encountered.\n\nThe RemoteConfigurationAvailable condition is used to represent whether the remote configuration is available. When it has a status of Unknown and a reason of Unknown or RemoteConfigNotRequestedYet, the state of the remote configuration is unknown—typically at startup. When it has a status of True and a reason of Succeeded, the configuration is available. When it has a status of False and a reason of NoToken, the configuration was disabled by removing the cloud.openshift.com field from the pull secret. When it has a status of False and a reason of DisabledByConfiguration, the configuration was disabled in insightsdatagather.config.openshift.io.\n\nThe RemoteConfigurationValid condition is used to represent whether the remote configuration is valid. When it has a status of Unknown and a reason of Unknown or NoValidationYet, the validity of the remote configuration is unknown—typically at startup. When it has a status of True and a reason of Succeeded, the configuration is valid. When it has a status of False and a reason of Invalid, the configuration is invalid.\n\nThe Progressing condition is used to represent the phase of gathering When it has a status of False and the reason is DataGatherPending, the gathering has not started yet. When it has a status of True and reason is Gathering, the gathering is running. When it has a status of False and reason is GatheringSucceeded, the gathering succesfully finished. When it has a status of False and reason is GatheringFailed, the gathering failed.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, }, }, - "apiVersion": { + "gatherers": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", + Description: "gatherers is a list of active gatherers (and their statuses) in the last gathering.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/insights/v1alpha2.GathererStatus"), + }, + }, + }, }, }, - "serviceServingCert": { + "startTime": { SchemaProps: spec.SchemaProps{ - Description: "serviceServingCert provides support for the old alpha service serving cert signer CA bundle", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.ServiceServingCert"), + Description: "startTime is the time when Insights data gathering started.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), }, }, - "projectConfig": { + "finishTime": { SchemaProps: spec.SchemaProps{ - Description: "projectConfig is an optimization for the daemonset controller", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeControllerManagerProjectConfig"), + Description: "finishTime is the time when Insights data gathering finished.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), }, }, - "extendedArguments": { + "relatedObjects": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + "namespace", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "extendedArguments is used to configure the kube-controller-manager", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, + Description: "relatedObjects is an optional list of resources which are useful when debugging or inspecting the data gathering Pod It may not exceed 100 items and must not contain duplicates.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/insights/v1alpha2.ObjectReference"), }, }, }, }, }, + "insightsRequestID": { + SchemaProps: spec.SchemaProps{ + Description: "insightsRequestID is an optional Insights request ID to track the status of the Insights analysis (in console.redhat.com processing pipeline) for the corresponding Insights data archive. It may not exceed 256 characters and is immutable once set.", + Type: []string{"string"}, + Format: "", + }, + }, + "insightsReport": { + SchemaProps: spec.SchemaProps{ + Description: "insightsReport provides general Insights analysis results. When omitted, this means no data gathering has taken place yet or the corresponding Insights analysis (identified by \"insightsRequestID\") is not available.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/insights/v1alpha2.InsightsReport"), + }, + }, }, - Required: []string{"serviceServingCert", "projectConfig", "extendedArguments"}, }, }, Dependencies: []string{ - "github.com/openshift/api/kubecontrolplane/v1.KubeControllerManagerProjectConfig", "github.com/openshift/api/kubecontrolplane/v1.ServiceServingCert"}, + "github.com/openshift/api/insights/v1alpha2.GathererStatus", "github.com/openshift/api/insights/v1alpha2.InsightsReport", "github.com/openshift/api/insights/v1alpha2.ObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, } } -func schema_openshift_api_kubecontrolplane_v1_KubeControllerManagerProjectConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_insights_v1alpha2_GathererConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "gathererConfig allows to configure specific gatherers", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "defaultNodeSelector": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "defaultNodeSelector holds default project node label selector", + Description: "name is the required name of a specific gatherer It may not exceed 256 characters. The format for a gatherer name is: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "state": { + SchemaProps: spec.SchemaProps{ + Description: "state is a required field that allows you to configure specific gatherer. Valid values are \"Enabled\" and \"Disabled\". When set to Enabled the gatherer will run. When set to Disabled the gatherer will not run.", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"defaultNodeSelector"}, + Required: []string{"name", "state"}, }, }, } } -func schema_openshift_api_kubecontrolplane_v1_KubeletConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_insights_v1alpha2_GathererStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "KubeletConnectionInfo holds information necessary for connecting to a kubelet", + Description: "gathererStatus represents information about a particular data gatherer.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "port": { - SchemaProps: spec.SchemaProps{ - Description: "port is the port to connect to kubelets on", - Default: 0, - Type: []string{"integer"}, - Format: "int64", - }, - }, - "ca": { - SchemaProps: spec.SchemaProps{ - Description: "ca is the CA for verifying TLS connections to kubelets", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "certFile": { - SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "keyFile": { - SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"port", "ca", "certFile", "keyFile"}, - }, - }, - } -} - -func schema_openshift_api_kubecontrolplane_v1_MasterAuthConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "MasterAuthConfig configures authentication options in addition to the standard oauth token and client certificate authenticators", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "requestHeader": { - SchemaProps: spec.SchemaProps{ - Description: "requestHeader holds options for setting up a front proxy against the API. It is optional.", - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.RequestHeaderAuthenticationOptions"), + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, }, - }, - "webhookTokenAuthenticators": { SchemaProps: spec.SchemaProps{ - Description: "webhookTokenAuthenticators, if present configures remote token reviewers", + Description: "conditions provide details on the status of each gatherer.\n\nThe current condition type is DataGathered\n\nThe DataGathered condition is used to represent whether or not the data was gathered by a gatherer specified by name. When it has a status of True and a reason of GatheredOK, the data has been successfully gathered as expected. When it has a status of False and a reason of NoData, no data was gathered—for example, when the resource is not present in the cluster. When it has a status of False and a reason of GatherError, an error occurred and no data was gathered. When it has a status of False and a reason of GatherPanic, a panic occurred during gathering and no data was collected. When it has a status of False and a reason of GatherWithErrorReason, data was partially gathered or gathered with an error message.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.WebhookTokenAuthenticator"), + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), }, }, }, }, }, - "oauthMetadataFile": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "oauthMetadataFile is a path to a file containing the discovery endpoint for OAuth 2.0 Authorization Server Metadata for an external OAuth server. See IETF Draft: // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 This option is mutually exclusive with OAuthConfig", + Description: "name is the required name of the gatherer. It must contain at least 5 characters and may not exceed 256 characters.", Default: "", Type: []string{"string"}, Format: "", }, }, + "lastGatherSeconds": { + SchemaProps: spec.SchemaProps{ + Description: "lastGatherSeconds is required field that represents the time spent gathering in seconds", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, }, - Required: []string{"requestHeader", "webhookTokenAuthenticators", "oauthMetadataFile"}, + Required: []string{"name", "lastGatherSeconds"}, }, }, Dependencies: []string{ - "github.com/openshift/api/kubecontrolplane/v1.RequestHeaderAuthenticationOptions", "github.com/openshift/api/kubecontrolplane/v1.WebhookTokenAuthenticator"}, + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } -func schema_openshift_api_kubecontrolplane_v1_RequestHeaderAuthenticationOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_insights_v1alpha2_Gatherers(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "RequestHeaderAuthenticationOptions provides options for setting up a front proxy against the entire API instead of against the /oauth endpoint.", + Description: "Gathereres specifies the configuration of the gatherers", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "clientCA": { + "mode": { SchemaProps: spec.SchemaProps{ - Description: "clientCA is a file with the trusted signer certs. It is required.", + Description: "mode is a required field that specifies the mode for gatherers. Allowed values are All and Custom. When set to All, all gatherers wil run and gather data. When set to Custom, the custom configuration from the custom field will be applied.", Default: "", Type: []string{"string"}, Format: "", }, }, - "clientCommonNames": { - SchemaProps: spec.SchemaProps{ - Description: "clientCommonNames is a required list of common names to require a match from.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "usernameHeaders": { - SchemaProps: spec.SchemaProps{ - Description: "usernameHeaders is the list of headers to check for user information. First hit wins.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "groupHeaders": { + "custom": { SchemaProps: spec.SchemaProps{ - Description: "groupHeaders is the set of headers to check for group information. All are unioned.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "custom provides gathering configuration. It is required when mode is Custom, and forbidden otherwise. Custom configuration allows user to disable only a subset of gatherers. Gatherers that are not explicitly disabled in custom configuration will run.", + Ref: ref("github.com/openshift/api/insights/v1alpha2.Custom"), }, }, - "extraHeaderPrefixes": { - SchemaProps: spec.SchemaProps{ - Description: "extraHeaderPrefixes is the set of request header prefixes to inspect for user extra. X-Remote-Extra- is suggested.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, + }, + Required: []string{"mode"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "mode", + "fields-to-discriminateBy": map[string]interface{}{ + "custom": "Custom", }, }, }, }, - Required: []string{"clientCA", "clientCommonNames", "usernameHeaders", "groupHeaders", "extraHeaderPrefixes"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/insights/v1alpha2.Custom"}, } } -func schema_openshift_api_kubecontrolplane_v1_ServiceServingCert(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_insights_v1alpha2_HealthCheck(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for pods fulfilling a service to serve with.", + Description: "healthCheck represents an Insights health check attributes.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "certFile": { + "description": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", + Description: "description is required field that provides basic description of the healtcheck. It must contain at least 10 characters and may not exceed 2048 characters.", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"certFile"}, - }, - }, - } -} - -func schema_openshift_api_kubecontrolplane_v1_UserAgentDenyRule(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "UserAgentDenyRule adds a rejection message that can be used to help a user figure out how to get an approved client", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "regex": { + "totalRisk": { SchemaProps: spec.SchemaProps{ - Description: "regex is a regex that is checked against the User-Agent. Known variants of oc clients 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f", + Description: "totalRisk is the required field of the healthcheck. It is indicator of the total risk posed by the detected issue; combination of impact and likelihood. Allowed values are Low, Medium, Important and Critical. The value represents the severity of the issue.", Default: "", Type: []string{"string"}, Format: "", }, }, - "httpVerbs": { - SchemaProps: spec.SchemaProps{ - Description: "httpVerbs specifies which HTTP verbs should be matched. An empty list means \"match all verbs\".", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "rejectionMessage": { + "advisorURI": { SchemaProps: spec.SchemaProps{ - Description: "rejectionMessage is the message shown when rejecting a client. If it is not a set, the default message is used.", + Description: "advisorURI is required field that provides the URL link to the Insights Advisor. The link must be a valid HTTPS URL and the maximum length is 2048 characters.", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"regex", "httpVerbs", "rejectionMessage"}, + Required: []string{"description", "totalRisk", "advisorURI"}, }, }, } } -func schema_openshift_api_kubecontrolplane_v1_UserAgentMatchRule(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_insights_v1alpha2_InsightsReport(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "UserAgentMatchRule describes how to match a given request based on User-Agent and HTTPVerb", + Description: "insightsReport provides Insights health check report based on the most recently sent Insights data.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "regex": { - SchemaProps: spec.SchemaProps{ - Description: "regex is a regex that is checked against the User-Agent. Known variants of oc clients 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "httpVerbs": { + "downloadedTime": { SchemaProps: spec.SchemaProps{ - Description: "httpVerbs specifies which HTTP verbs should be matched. An empty list means \"match all verbs\".", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "downloadedTime is an optional time when the last Insights report was downloaded. An empty value means that there has not been any Insights report downloaded yet and it usually appears in disconnected clusters (or clusters when the Insights data gathering is disabled).", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), }, }, - }, - Required: []string{"regex", "httpVerbs"}, - }, - }, - } -} - -func schema_openshift_api_kubecontrolplane_v1_UserAgentMatchingConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "requiredClients": { - SchemaProps: spec.SchemaProps{ - Description: "requiredClients if this list is non-empty, then a User-Agent must match one of the UserAgentRegexes to be allowed", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchRule"), - }, + "healthChecks": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "advisorURI", + "totalRisk", + "description", }, + "x-kubernetes-list-type": "map", }, }, - }, - "deniedClients": { SchemaProps: spec.SchemaProps{ - Description: "deniedClients if this list is non-empty, then a User-Agent must not match any of the UserAgentRegexes", + Description: "healthChecks provides basic information about active Insights health checks in a cluster.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/kubecontrolplane/v1.UserAgentDenyRule"), + Ref: ref("github.com/openshift/api/insights/v1alpha2.HealthCheck"), }, }, }, }, }, - "defaultRejectionMessage": { + "uri": { SchemaProps: spec.SchemaProps{ - Description: "defaultRejectionMessage is the message shown when rejecting a client. If it is not a set, a generic message is given.", - Default: "", + Description: "uri is optional field that provides the URL link from which the report was downloaded. The link must be a valid HTTPS URL and the maximum length is 2048 characters.", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"requiredClients", "deniedClients", "defaultRejectionMessage"}, }, }, Dependencies: []string{ - "github.com/openshift/api/kubecontrolplane/v1.UserAgentDenyRule", "github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchRule"}, + "github.com/openshift/api/insights/v1alpha2.HealthCheck", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, } } -func schema_openshift_api_kubecontrolplane_v1_WebhookTokenAuthenticator(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_insights_v1alpha2_ObjectReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "WebhookTokenAuthenticators holds the necessary configuation options for external token authenticators", + Description: "ObjectReference contains enough information to let you inspect or modify the referred object.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "configFile": { + "group": { SchemaProps: spec.SchemaProps{ - Description: "configFile is a path to a Kubeconfig file with the webhook configuration", + Description: "group is required field that specifies the API Group of the Resource. Enter empty string for the core group. This value is empty or it should follow the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start with an alphabetic character and end with an alphanumeric character. Example: \"\", \"apps\", \"build.openshift.io\", etc.", Default: "", Type: []string{"string"}, Format: "", }, }, - "cacheTTL": { + "resource": { SchemaProps: spec.SchemaProps{ - Description: "cacheTTL indicates how long an authentication result should be cached. It takes a valid time duration string (e.g. \"5m\"). If empty, you get a default timeout of 2 minutes. If zero (e.g. \"0m\"), caching is disabled", + Description: "resource is required field of the type that is being referenced and follows the DNS1035 format. It is normally the plural form of the resource kind in lowercase. It must be at most 63 characters in length, and must must consist of only lowercase alphanumeric characters and hyphens, and must start with an alphabetic character and end with an alphanumeric character. Example: \"deployments\", \"deploymentconfigs\", \"pods\", etc.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is required field that specifies the referent that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start with an alphabetic character and end with an alphanumeric character..", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "namespace": { + SchemaProps: spec.SchemaProps{ + Description: "namespace if required field of the referent that follows the DNS1123 labels format. It must be at most 63 characters in length, and must must consist of only lowercase alphanumeric characters and hyphens, and must start with an alphabetic character and end with an alphanumeric character.", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"configFile", "cacheTTL"}, + Required: []string{"group", "resource", "name", "namespace"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_ActiveDirectoryConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_insights_v1alpha2_PersistentVolumeClaimReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the Active Directory schema", + Description: "persistentVolumeClaimReference is a reference to a PersistentVolumeClaim.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "usersQuery": { - SchemaProps: spec.SchemaProps{ - Description: "AllUsersQuery holds the template for an LDAP query that returns user entries.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), - }, - }, - "userNameAttributes": { - SchemaProps: spec.SchemaProps{ - Description: "userNameAttributes defines which attributes on an LDAP user entry will be interpreted as its OpenShift user name.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "groupMembershipAttributes": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "groupMembershipAttributes defines which attributes on an LDAP user entry will be interpreted as the groups it is a member of", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "name is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"usersQuery", "userNameAttributes", "groupMembershipAttributes"}, + Required: []string{"name"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.LDAPQuery"}, } } -func schema_openshift_api_legacyconfig_v1_AdmissionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_insights_v1alpha2_PersistentVolumeConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AdmissionConfig holds the necessary configuration options for admission", + Description: "persistentVolumeConfig provides configuration options for PersistentVolume storage.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "pluginConfig": { + "claim": { SchemaProps: spec.SchemaProps{ - Description: "pluginConfig allows specifying a configuration file per admission control plugin", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Ref: ref("github.com/openshift/api/legacyconfig/v1.AdmissionPluginConfig"), - }, - }, - }, + Description: "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/insights/v1alpha2.PersistentVolumeClaimReference"), }, }, - "pluginOrderOverride": { + "mountPath": { SchemaProps: spec.SchemaProps{ - Description: "pluginOrderOverride is a list of admission control plugin names that will be installed on the master. Order is significant. If empty, a default list of plugins is used.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"pluginConfig"}, + Required: []string{"claim"}, }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.AdmissionPluginConfig"}, + "github.com/openshift/api/insights/v1alpha2.PersistentVolumeClaimReference"}, } } -func schema_openshift_api_legacyconfig_v1_AdmissionPluginConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_insights_v1alpha2_Storage(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AdmissionPluginConfig holds the necessary configuration options for admission plugins", + Description: "storage provides persistent storage configuration options for gathering jobs. If the type is set to PersistentVolume, then the PersistentVolume must be defined. If the type is set to Ephemeral, then the PersistentVolume must not be defined.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "location": { + "type": { SchemaProps: spec.SchemaProps{ - Description: "location is the path to a configuration file that contains the plugin's configuration", + Description: "type is a required field that specifies the type of storage that will be used to store the Insights data archive. Valid values are \"PersistentVolume\" and \"Ephemeral\". When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the PersistentVolume field.", Default: "", Type: []string{"string"}, Format: "", }, }, - "configuration": { + "persistentVolume": { SchemaProps: spec.SchemaProps{ - Description: "configuration is an embedded configuration object to be used as the plugin's configuration. If present, it will be used instead of the path to the configuration file.", - Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + Description: "persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. The PersistentVolume must be created in the openshift-insights namespace.", + Ref: ref("github.com/openshift/api/insights/v1alpha2.PersistentVolumeConfig"), + }, + }, + }, + Required: []string{"type"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "type", + "fields-to-discriminateBy": map[string]interface{}{ + "persistentVolume": "PersistentVolume", + }, }, }, }, - Required: []string{"location", "configuration"}, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/runtime.RawExtension"}, + "github.com/openshift/api/insights/v1alpha2.PersistentVolumeConfig"}, } } -func schema_openshift_api_legacyconfig_v1_AggregatorConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_AggregatorConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ @@ -28629,7 +29514,7 @@ func schema_openshift_api_legacyconfig_v1_AggregatorConfig(ref common.ReferenceC SchemaProps: spec.SchemaProps{ Description: "proxyClientInfo specifies the client cert/key to use when proxying to aggregated API servers", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.CertInfo"), + Ref: ref("github.com/openshift/api/config/v1.CertInfo"), }, }, }, @@ -28637,15 +29522,15 @@ func schema_openshift_api_legacyconfig_v1_AggregatorConfig(ref common.ReferenceC }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.CertInfo"}, + "github.com/openshift/api/config/v1.CertInfo"}, } } -func schema_openshift_api_legacyconfig_v1_AllowAllPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AllowAllPasswordIdentityProvider provides identities for users authenticating using non-empty passwords\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -28662,123 +29547,124 @@ func schema_openshift_api_legacyconfig_v1_AllowAllPasswordIdentityProvider(ref c Format: "", }, }, - }, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_AuditConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "AuditConfig holds configuration for the audit capabilities", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "enabled": { + "servingInfo": { SchemaProps: spec.SchemaProps{ - Description: "If this flag is set, audit log will be printed in the logs. The logs contains, method, user and a requested URL.", - Default: false, - Type: []string{"boolean"}, - Format: "", + Description: "servingInfo describes how to start serving", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.HTTPServingInfo"), }, }, - "auditFilePath": { + "corsAllowedOrigins": { SchemaProps: spec.SchemaProps{ - Description: "All requests coming to the apiserver will be logged to this file.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "corsAllowedOrigins", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "maximumFileRetentionDays": { + "auditConfig": { SchemaProps: spec.SchemaProps{ - Description: "Maximum number of days to retain old log files based on the timestamp encoded in their filename.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "auditConfig describes how to configure audit information", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.AuditConfig"), }, }, - "maximumRetainedFiles": { + "storageConfig": { SchemaProps: spec.SchemaProps{ - Description: "Maximum number of old log files to retain.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "storageConfig contains information about how to use", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.EtcdStorageConfig"), }, }, - "maximumFileSizeMegabytes": { + "admission": { SchemaProps: spec.SchemaProps{ - Description: "Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "admissionConfig holds information about how to configure admission.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.AdmissionConfig"), }, }, - "policyFile": { + "kubeClientConfig": { SchemaProps: spec.SchemaProps{ - Description: "policyFile is a path to the file that defines the audit policy configuration.", - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.KubeClientConfig"), }, }, - "policyConfiguration": { + "authConfig": { SchemaProps: spec.SchemaProps{ - Description: "policyConfiguration is an embedded policy configuration object to be used as the audit policy configuration. If present, it will be used instead of the path to the policy file.", - Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + Description: "authConfig configures authentication options in addition to the standard oauth token and client certificate authenticators", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.MasterAuthConfig"), }, }, - "logFormat": { + "aggregatorConfig": { SchemaProps: spec.SchemaProps{ - Description: "Format of saved audits (legacy or json).", + Description: "aggregatorConfig has options for configuring the aggregator component of the API server.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.AggregatorConfig"), + }, + }, + "kubeletClientInfo": { + SchemaProps: spec.SchemaProps{ + Description: "kubeletClientInfo contains information about how to connect to kubelets", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeletConnectionInfo"), + }, + }, + "servicesSubnet": { + SchemaProps: spec.SchemaProps{ + Description: "servicesSubnet is the subnet to use for assigning service IPs", Default: "", Type: []string{"string"}, Format: "", }, }, - "webHookKubeConfig": { + "servicesNodePortRange": { SchemaProps: spec.SchemaProps{ - Description: "Path to a .kubeconfig formatted file that defines the audit webhook configuration.", + Description: "servicesNodePortRange is the range to use for assigning service public ports on a host.", Default: "", Type: []string{"string"}, Format: "", }, }, - "webHookMode": { + "consolePublicURL": { SchemaProps: spec.SchemaProps{ - Description: "Strategy for sending audit events (block or batch).", + Description: "DEPRECATED: consolePublicURL has been deprecated and setting it has no effect.", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"enabled", "auditFilePath", "maximumFileRetentionDays", "maximumRetainedFiles", "maximumFileSizeMegabytes", "policyFile", "policyConfiguration", "logFormat", "webHookKubeConfig", "webHookMode"}, - }, - }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/runtime.RawExtension"}, - } -} - -func schema_openshift_api_legacyconfig_v1_AugmentedActiveDirectoryConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "AugmentedActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the augmented Active Directory schema", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "usersQuery": { + "userAgentMatchingConfig": { SchemaProps: spec.SchemaProps{ - Description: "AllUsersQuery holds the template for an LDAP query that returns user entries.", + Description: "userAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchingConfig"), }, }, - "userNameAttributes": { + "imagePolicyConfig": { SchemaProps: spec.SchemaProps{ - Description: "userNameAttributes defines which attributes on an LDAP user entry will be interpreted as its OpenShift user name.", + Description: "imagePolicyConfig feeds the image policy admission plugin", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerImagePolicyConfig"), + }, + }, + "projectConfig": { + SchemaProps: spec.SchemaProps{ + Description: "projectConfig feeds an admission plugin", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerProjectConfig"), + }, + }, + "serviceAccountPublicKeyFiles": { + SchemaProps: spec.SchemaProps{ + Description: "serviceAccountPublicKeyFiles is a list of files, each containing a PEM-encoded public RSA key. (If any file contains a private key, the public portion of the key is used) The list of public keys is used to verify presented service account tokens. Each key is tried in order until the list is exhausted or verification succeeds. If no keys are specified, no service account authentication will be available.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -28791,39 +29677,68 @@ func schema_openshift_api_legacyconfig_v1_AugmentedActiveDirectoryConfig(ref com }, }, }, - "groupMembershipAttributes": { + "oauthConfig": { SchemaProps: spec.SchemaProps{ - Description: "groupMembershipAttributes defines which attributes on an LDAP user entry will be interpreted as the groups it is a member of", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ + Description: "oauthConfig, if present start the /oauth endpoint in this process", + Ref: ref("github.com/openshift/api/osin/v1.OAuthConfig"), + }, + }, + "apiServerArguments": { + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, }, }, - "groupsQuery": { + "minimumKubeletVersion": { SchemaProps: spec.SchemaProps{ - Description: "AllGroupsQuery holds the template for an LDAP query that returns group entries.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), + Description: "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "groupUIDAttribute": { + }, + Required: []string{"servingInfo", "corsAllowedOrigins", "auditConfig", "storageConfig", "admission", "kubeClientConfig", "authConfig", "aggregatorConfig", "kubeletClientInfo", "servicesSubnet", "servicesNodePortRange", "consolePublicURL", "userAgentMatchingConfig", "imagePolicyConfig", "projectConfig", "serviceAccountPublicKeyFiles", "oauthConfig", "apiServerArguments"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.AdmissionConfig", "github.com/openshift/api/config/v1.AuditConfig", "github.com/openshift/api/config/v1.EtcdStorageConfig", "github.com/openshift/api/config/v1.HTTPServingInfo", "github.com/openshift/api/config/v1.KubeClientConfig", "github.com/openshift/api/kubecontrolplane/v1.AggregatorConfig", "github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerImagePolicyConfig", "github.com/openshift/api/kubecontrolplane/v1.KubeAPIServerProjectConfig", "github.com/openshift/api/kubecontrolplane/v1.KubeletConnectionInfo", "github.com/openshift/api/kubecontrolplane/v1.MasterAuthConfig", "github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchingConfig", "github.com/openshift/api/osin/v1.OAuthConfig"}, + } +} + +func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerImagePolicyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "internalRegistryHostname": { SchemaProps: spec.SchemaProps{ - Description: "GroupUIDAttributes defines which attribute on an LDAP group entry will be interpreted as its unique identifier. (ldapGroupUID)", + Description: "internalRegistryHostname sets the hostname for the default internal image registry. The value must be in \"hostname[:port]\" format.", Default: "", Type: []string{"string"}, Format: "", }, }, - "groupNameAttributes": { + "externalRegistryHostnames": { SchemaProps: spec.SchemaProps{ - Description: "groupNameAttributes defines which attributes on an LDAP group entry will be interpreted as its name to use for an OpenShift group", + Description: "externalRegistryHostnames provides the hostnames for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The first value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in \"hostname[:port]\" format.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -28837,19 +29752,38 @@ func schema_openshift_api_legacyconfig_v1_AugmentedActiveDirectoryConfig(ref com }, }, }, - Required: []string{"usersQuery", "userNameAttributes", "groupMembershipAttributes", "groupsQuery", "groupUIDAttribute", "groupNameAttributes"}, + Required: []string{"internalRegistryHostname", "externalRegistryHostnames"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.LDAPQuery"}, } } -func schema_openshift_api_legacyconfig_v1_BasicAuthPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerProjectConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "BasicAuthPasswordIdentityProvider provides identities for users authenticating using HTTP basic auth credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "defaultNodeSelector": { + SchemaProps: spec.SchemaProps{ + Description: "defaultNodeSelector holds default project node label selector", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"defaultNodeSelector"}, + }, + }, + } +} + +func schema_openshift_api_kubecontrolplane_v1_KubeControllerManagerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -28866,217 +29800,198 @@ func schema_openshift_api_legacyconfig_v1_BasicAuthPasswordIdentityProvider(ref Format: "", }, }, - "url": { + "serviceServingCert": { SchemaProps: spec.SchemaProps{ - Description: "url is the remote URL to connect to", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "serviceServingCert provides support for the old alpha service serving cert signer CA bundle", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.ServiceServingCert"), }, }, - "ca": { + "projectConfig": { SchemaProps: spec.SchemaProps{ - Description: "ca is the CA for verifying TLS connections", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "projectConfig is an optimization for the daemonset controller", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.KubeControllerManagerProjectConfig"), }, }, - "certFile": { + "extendedArguments": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "extendedArguments is used to configure the kube-controller-manager", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, }, }, - "keyFile": { + }, + Required: []string{"serviceServingCert", "projectConfig", "extendedArguments"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/kubecontrolplane/v1.KubeControllerManagerProjectConfig", "github.com/openshift/api/kubecontrolplane/v1.ServiceServingCert"}, + } +} + +func schema_openshift_api_kubecontrolplane_v1_KubeControllerManagerProjectConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "defaultNodeSelector": { SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Description: "defaultNodeSelector holds default project node label selector", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"url", "ca", "certFile", "keyFile"}, + Required: []string{"defaultNodeSelector"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_BuildDefaultsConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_KubeletConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "BuildDefaultsConfig controls the default information for Builds\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "KubeletConnectionInfo holds information necessary for connecting to a kubelet", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { + "port": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", + Description: "port is the port to connect to kubelets on", + Default: 0, + Type: []string{"integer"}, + Format: "int64", }, }, - "gitHTTPProxy": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "gitHTTPProxy is the location of the HTTPProxy for Git source", + Description: "ca is the CA for verifying TLS connections to kubelets", + Default: "", Type: []string{"string"}, Format: "", }, }, - "gitHTTPSProxy": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "gitHTTPSProxy is the location of the HTTPSProxy for Git source", + Description: "certFile is a file containing a PEM-encoded certificate", + Default: "", Type: []string{"string"}, Format: "", }, }, - "gitNoProxy": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "gitNoProxy is the list of domains for which the proxy should not be used", + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Default: "", Type: []string{"string"}, Format: "", }, }, - "env": { - SchemaProps: spec.SchemaProps{ - Description: "env is a set of default environment variables that will be applied to the build if the specified variables do not exist on the build", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/api/core/v1.EnvVar"), - }, - }, - }, - }, - }, - "sourceStrategyDefaults": { + }, + Required: []string{"port", "ca", "certFile", "keyFile"}, + }, + }, + } +} + +func schema_openshift_api_kubecontrolplane_v1_MasterAuthConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "MasterAuthConfig configures authentication options in addition to the standard oauth token and client certificate authenticators", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "requestHeader": { SchemaProps: spec.SchemaProps{ - Description: "sourceStrategyDefaults are default values that apply to builds using the source strategy.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.SourceStrategyDefaultsConfig"), + Description: "requestHeader holds options for setting up a front proxy against the API. It is optional.", + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.RequestHeaderAuthenticationOptions"), }, }, - "imageLabels": { + "webhookTokenAuthenticators": { SchemaProps: spec.SchemaProps{ - Description: "imageLabels is a list of labels that are applied to the resulting image. User can override a default label by providing a label with the same name in their Build/BuildConfig.", + Description: "webhookTokenAuthenticators, if present configures remote token reviewers", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/build/v1.ImageLabel"), - }, - }, - }, - }, - }, - "nodeSelector": { - SchemaProps: spec.SchemaProps{ - Description: "nodeSelector is a selector which must be true for the build pod to fit on a node", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "annotations": { - SchemaProps: spec.SchemaProps{ - Description: "annotations are annotations that will be added to the build pod", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.WebhookTokenAuthenticator"), }, }, }, }, }, - "resources": { + "oauthMetadataFile": { SchemaProps: spec.SchemaProps{ - Description: "resources defines resource requirements to execute the build.", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/api/core/v1.ResourceRequirements"), + Description: "oauthMetadataFile is a path to a file containing the discovery endpoint for OAuth 2.0 Authorization Server Metadata for an external OAuth server. See IETF Draft: // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 This option is mutually exclusive with OAuthConfig", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, + Required: []string{"requestHeader", "webhookTokenAuthenticators", "oauthMetadataFile"}, }, }, Dependencies: []string{ - "github.com/openshift/api/build/v1.ImageLabel", "github.com/openshift/api/legacyconfig/v1.SourceStrategyDefaultsConfig", "k8s.io/api/core/v1.EnvVar", "k8s.io/api/core/v1.ResourceRequirements"}, + "github.com/openshift/api/kubecontrolplane/v1.RequestHeaderAuthenticationOptions", "github.com/openshift/api/kubecontrolplane/v1.WebhookTokenAuthenticator"}, } } -func schema_openshift_api_legacyconfig_v1_BuildOverridesConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_RequestHeaderAuthenticationOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "BuildOverridesConfig controls override settings for builds\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "RequestHeaderAuthenticationOptions provides options for setting up a front proxy against the entire API instead of against the /oauth endpoint.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { + "clientCA": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "clientCA is a file with the trusted signer certs. It is required.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "forcePull": { - SchemaProps: spec.SchemaProps{ - Description: "forcePull indicates whether the build strategy should always be set to ForcePull=true", - Default: false, - Type: []string{"boolean"}, - Format: "", - }, - }, - "imageLabels": { + "clientCommonNames": { SchemaProps: spec.SchemaProps{ - Description: "imageLabels is a list of labels that are applied to the resulting image. If user provided a label in their Build/BuildConfig with the same name as one in this list, the user's label will be overwritten.", + Description: "clientCommonNames is a required list of common names to require a match from.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/build/v1.ImageLabel"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "nodeSelector": { + "usernameHeaders": { SchemaProps: spec.SchemaProps{ - Description: "nodeSelector is a selector which must be true for the build pod to fit on a node", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, + Description: "usernameHeaders is the list of headers to check for user information. First hit wins.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: "", @@ -29087,12 +30002,11 @@ func schema_openshift_api_legacyconfig_v1_BuildOverridesConfig(ref common.Refere }, }, }, - "annotations": { + "groupHeaders": { SchemaProps: spec.SchemaProps{ - Description: "annotations are annotations that will be added to the build pod", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, + Description: "groupHeaders is the set of headers to check for group information. All are unioned.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: "", @@ -29103,34 +30017,33 @@ func schema_openshift_api_legacyconfig_v1_BuildOverridesConfig(ref common.Refere }, }, }, - "tolerations": { + "extraHeaderPrefixes": { SchemaProps: spec.SchemaProps{ - Description: "tolerations is a list of Tolerations that will override any existing tolerations set on a build pod.", + Description: "extraHeaderPrefixes is the set of request header prefixes to inspect for user extra. X-Remote-Extra- is suggested.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/api/core/v1.Toleration"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, }, - Required: []string{"forcePull"}, + Required: []string{"clientCA", "clientCommonNames", "usernameHeaders", "groupHeaders", "extraHeaderPrefixes"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/build/v1.ImageLabel", "k8s.io/api/core/v1.Toleration"}, } } -func schema_openshift_api_legacyconfig_v1_CertInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_ServiceServingCert(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "CertInfo relates a certificate with a private key", + Description: "ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for pods fulfilling a service to serve with.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "certFile": { @@ -29141,383 +30054,466 @@ func schema_openshift_api_legacyconfig_v1_CertInfo(ref common.ReferenceCallback) Format: "", }, }, - "keyFile": { - SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, }, - Required: []string{"certFile", "keyFile"}, + Required: []string{"certFile"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_ClientConnectionOverrides(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_UserAgentDenyRule(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClientConnectionOverrides are a set of overrides to the default client connection settings.", + Description: "UserAgentDenyRule adds a rejection message that can be used to help a user figure out how to get an approved client", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "acceptContentTypes": { - SchemaProps: spec.SchemaProps{ - Description: "acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the default value of 'application/json'. This field will control all connections to the server used by a particular client.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "contentType": { + "regex": { SchemaProps: spec.SchemaProps{ - Description: "contentType is the content type used when sending data to the server from this client.", + Description: "regex is a regex that is checked against the User-Agent. Known variants of oc clients 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f", Default: "", Type: []string{"string"}, Format: "", }, }, - "qps": { + "httpVerbs": { SchemaProps: spec.SchemaProps{ - Description: "qps controls the number of queries per second allowed for this connection.", - Default: 0, - Type: []string{"number"}, - Format: "float", + Description: "httpVerbs specifies which HTTP verbs should be matched. An empty list means \"match all verbs\".", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "burst": { + "rejectionMessage": { SchemaProps: spec.SchemaProps{ - Description: "burst allows extra queries to accumulate when a client is exceeding its rate.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "rejectionMessage is the message shown when rejecting a client. If it is not a set, the default message is used.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"acceptContentTypes", "contentType", "qps", "burst"}, + Required: []string{"regex", "httpVerbs", "rejectionMessage"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_ClusterNetworkEntry(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_UserAgentMatchRule(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ClusterNetworkEntry defines an individual cluster network. The CIDRs cannot overlap with other cluster network CIDRs, CIDRs reserved for external ips, CIDRs reserved for service networks, and CIDRs reserved for ingress ips.", + Description: "UserAgentMatchRule describes how to match a given request based on User-Agent and HTTPVerb", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "cidr": { + "regex": { SchemaProps: spec.SchemaProps{ - Description: "cidr defines the total range of a cluster networks address space.", + Description: "regex is a regex that is checked against the User-Agent. Known variants of oc clients 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f", Default: "", Type: []string{"string"}, Format: "", }, }, - "hostSubnetLength": { + "httpVerbs": { SchemaProps: spec.SchemaProps{ - Description: "hostSubnetLength is the number of bits of the accompanying CIDR address to allocate to each node. eg, 8 would mean that each node would have a /24 slice of the overlay network for its pod.", - Default: 0, - Type: []string{"integer"}, - Format: "int64", + Description: "httpVerbs specifies which HTTP verbs should be matched. An empty list means \"match all verbs\".", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, - Required: []string{"cidr", "hostSubnetLength"}, + Required: []string{"regex", "httpVerbs"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_ControllerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_UserAgentMatchingConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ControllerConfig holds configuration values for controllers", + Description: "UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "controllers": { + "requiredClients": { SchemaProps: spec.SchemaProps{ - Description: "controllers is a list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller \"+ named 'foo', '-foo' disables the controller named 'foo'. Defaults to \"*\".", + Description: "requiredClients if this list is non-empty, then a User-Agent must match one of the UserAgentRegexes to be allowed", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchRule"), }, }, }, }, }, - "election": { + "deniedClients": { SchemaProps: spec.SchemaProps{ - Description: "election defines the configuration for electing a controller instance to make changes to the cluster. If unspecified, the ControllerTTL value is checked to determine whether the legacy direct etcd election code will be used.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.ControllerElectionConfig"), + Description: "deniedClients if this list is non-empty, then a User-Agent must not match any of the UserAgentRegexes", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/kubecontrolplane/v1.UserAgentDenyRule"), + }, + }, + }, }, }, - "serviceServingCert": { + "defaultRejectionMessage": { SchemaProps: spec.SchemaProps{ - Description: "serviceServingCert holds configuration for service serving cert signer which creates cert/key pairs for pods fulfilling a service to serve with.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ServiceServingCert"), + Description: "defaultRejectionMessage is the message shown when rejecting a client. If it is not a set, a generic message is given.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"controllers", "election", "serviceServingCert"}, + Required: []string{"requiredClients", "deniedClients", "defaultRejectionMessage"}, }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.ControllerElectionConfig", "github.com/openshift/api/legacyconfig/v1.ServiceServingCert"}, + "github.com/openshift/api/kubecontrolplane/v1.UserAgentDenyRule", "github.com/openshift/api/kubecontrolplane/v1.UserAgentMatchRule"}, } } -func schema_openshift_api_legacyconfig_v1_ControllerElectionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_kubecontrolplane_v1_WebhookTokenAuthenticator(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ControllerElectionConfig contains configuration values for deciding how a controller will be elected to act as leader.", + Description: "WebhookTokenAuthenticators holds the necessary configuation options for external token authenticators", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "lockName": { + "configFile": { SchemaProps: spec.SchemaProps{ - Description: "lockName is the resource name used to act as the lock for determining which controller instance should lead.", + Description: "configFile is a path to a Kubeconfig file with the webhook configuration", Default: "", Type: []string{"string"}, Format: "", }, }, - "lockNamespace": { + "cacheTTL": { SchemaProps: spec.SchemaProps{ - Description: "lockNamespace is the resource namespace used to act as the lock for determining which controller instance should lead. It defaults to \"kube-system\"", + Description: "cacheTTL indicates how long an authentication result should be cached. It takes a valid time duration string (e.g. \"5m\"). If empty, you get a default timeout of 2 minutes. If zero (e.g. \"0m\"), caching is disabled", Default: "", Type: []string{"string"}, Format: "", }, }, - "lockResource": { - SchemaProps: spec.SchemaProps{ - Description: "lockResource is the group and resource name to use to coordinate for the controller lock. If unset, defaults to \"configmaps\".", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.GroupResource"), - }, - }, }, - Required: []string{"lockName", "lockNamespace", "lockResource"}, + Required: []string{"configFile", "cacheTTL"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.GroupResource"}, } } -func schema_openshift_api_legacyconfig_v1_DNSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ActiveDirectoryConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "DNSConfig holds the necessary configuration options for DNS", + Description: "ActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the Active Directory schema", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "bindAddress": { + "usersQuery": { SchemaProps: spec.SchemaProps{ - Description: "bindAddress is the ip:port to serve DNS on", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "AllUsersQuery holds the template for an LDAP query that returns user entries.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), }, }, - "bindNetwork": { + "userNameAttributes": { SchemaProps: spec.SchemaProps{ - Description: "bindNetwork is the type of network to bind to - defaults to \"tcp4\", accepts \"tcp\", \"tcp4\", and \"tcp6\"", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "userNameAttributes defines which attributes on an LDAP user entry will be interpreted as its OpenShift user name.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "allowRecursiveQueries": { + "groupMembershipAttributes": { SchemaProps: spec.SchemaProps{ - Description: "allowRecursiveQueries allows the DNS server on the master to answer queries recursively. Note that open resolvers can be used for DNS amplification attacks and the master DNS should not be made accessible to public networks.", - Default: false, - Type: []string{"boolean"}, - Format: "", + Description: "groupMembershipAttributes defines which attributes on an LDAP user entry will be interpreted as the groups it is a member of", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, - Required: []string{"bindAddress", "bindNetwork", "allowRecursiveQueries"}, + Required: []string{"usersQuery", "userNameAttributes", "groupMembershipAttributes"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.LDAPQuery"}, } } -func schema_openshift_api_legacyconfig_v1_DefaultAdmissionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_AdmissionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "DefaultAdmissionConfig can be used to enable or disable various admission plugins. When this type is present as the `configuration` object under `pluginConfig` and *if* the admission plugin supports it, this will cause an \"off by default\" admission plugin to be enabled\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "AdmissionConfig holds the necessary configuration options for admission", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { + "pluginConfig": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", + Description: "pluginConfig allows specifying a configuration file per admission control plugin", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/openshift/api/legacyconfig/v1.AdmissionPluginConfig"), + }, + }, + }, }, }, - "disable": { + "pluginOrderOverride": { SchemaProps: spec.SchemaProps{ - Description: "disable turns off an admission plugin that is enabled by default.", - Default: false, - Type: []string{"boolean"}, - Format: "", + Description: "pluginOrderOverride is a list of admission control plugin names that will be installed on the master. Order is significant. If empty, a default list of plugins is used.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, - Required: []string{"disable"}, + Required: []string{"pluginConfig"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.AdmissionPluginConfig"}, } } -func schema_openshift_api_legacyconfig_v1_DenyAllPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_AdmissionPluginConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "DenyAllPasswordIdentityProvider provides no identities for users\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "AdmissionPluginConfig holds the necessary configuration options for admission plugins", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "location": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "location is the path to a configuration file that contains the plugin's configuration", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "configuration": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", + Description: "configuration is an embedded configuration object to be used as the plugin's configuration. If present, it will be used instead of the path to the configuration file.", + Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), }, }, }, + Required: []string{"location", "configuration"}, }, }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } -func schema_openshift_api_legacyconfig_v1_DockerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_AggregatorConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "DockerConfig holds Docker related configuration options.", + Description: "AggregatorConfig holds information required to make the aggregator function.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "execHandlerName": { + "proxyClientInfo": { SchemaProps: spec.SchemaProps{ - Description: "execHandlerName is the name of the handler to use for executing commands in containers.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "proxyClientInfo specifies the client cert/key to use when proxying to aggregated API servers", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.CertInfo"), }, }, - "dockerShimSocket": { + }, + Required: []string{"proxyClientInfo"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.CertInfo"}, + } +} + +func schema_openshift_api_legacyconfig_v1_AllowAllPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "AllowAllPasswordIdentityProvider provides identities for users authenticating using non-empty passwords\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { SchemaProps: spec.SchemaProps{ - Description: "dockerShimSocket is the location of the dockershim socket the kubelet uses. Currently unix socket is supported on Linux, and tcp is supported on windows. Examples:'unix:///var/run/dockershim.sock', 'tcp://localhost:3735'", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "dockerShimRootDirectory": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "dockerShimRootDirectory is the dockershim root directory.", - Default: "", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"execHandlerName", "dockerShimSocket", "dockerShimRootDirectory"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_EtcdConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_AuditConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EtcdConfig holds the necessary configuration options for connecting with an etcd database", + Description: "AuditConfig holds configuration for the audit capabilities", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "servingInfo": { + "enabled": { SchemaProps: spec.SchemaProps{ - Description: "servingInfo describes how to start serving the etcd master", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ServingInfo"), + Description: "If this flag is set, audit log will be printed in the logs. The logs contains, method, user and a requested URL.", + Default: false, + Type: []string{"boolean"}, + Format: "", }, }, - "address": { + "auditFilePath": { SchemaProps: spec.SchemaProps{ - Description: "address is the advertised host:port for client connections to etcd", + Description: "All requests coming to the apiserver will be logged to this file.", Default: "", Type: []string{"string"}, Format: "", }, }, - "peerServingInfo": { + "maximumFileRetentionDays": { SchemaProps: spec.SchemaProps{ - Description: "peerServingInfo describes how to start serving the etcd peer", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ServingInfo"), + Description: "Maximum number of days to retain old log files based on the timestamp encoded in their filename.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "peerAddress": { + "maximumRetainedFiles": { SchemaProps: spec.SchemaProps{ - Description: "peerAddress is the advertised host:port for peer connections to etcd", + Description: "Maximum number of old log files to retain.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "maximumFileSizeMegabytes": { + SchemaProps: spec.SchemaProps{ + Description: "Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "policyFile": { + SchemaProps: spec.SchemaProps{ + Description: "policyFile is a path to the file that defines the audit policy configuration.", Default: "", Type: []string{"string"}, Format: "", }, }, - "storageDirectory": { + "policyConfiguration": { SchemaProps: spec.SchemaProps{ - Description: "StorageDir is the path to the etcd storage directory", + Description: "policyConfiguration is an embedded policy configuration object to be used as the audit policy configuration. If present, it will be used instead of the path to the policy file.", + Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + }, + }, + "logFormat": { + SchemaProps: spec.SchemaProps{ + Description: "Format of saved audits (legacy or json).", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "webHookKubeConfig": { + SchemaProps: spec.SchemaProps{ + Description: "Path to a .kubeconfig formatted file that defines the audit webhook configuration.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "webHookMode": { + SchemaProps: spec.SchemaProps{ + Description: "Strategy for sending audit events (block or batch).", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"servingInfo", "address", "peerServingInfo", "peerAddress", "storageDirectory"}, + Required: []string{"enabled", "auditFilePath", "maximumFileRetentionDays", "maximumRetainedFiles", "maximumFileSizeMegabytes", "policyFile", "policyConfiguration", "logFormat", "webHookKubeConfig", "webHookMode"}, }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.ServingInfo"}, + "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } -func schema_openshift_api_legacyconfig_v1_EtcdConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_AugmentedActiveDirectoryConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EtcdConnectionInfo holds information necessary for connecting to an etcd server", + Description: "AugmentedActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the augmented Active Directory schema", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "urls": { + "usersQuery": { SchemaProps: spec.SchemaProps{ - Description: "urls are the URLs for etcd", + Description: "AllUsersQuery holds the template for an LDAP query that returns user entries.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), + }, + }, + "userNameAttributes": { + SchemaProps: spec.SchemaProps{ + Description: "userNameAttributes defines which attributes on an LDAP user entry will be interpreted as its OpenShift user name.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -29530,88 +30526,125 @@ func schema_openshift_api_legacyconfig_v1_EtcdConnectionInfo(ref common.Referenc }, }, }, - "ca": { + "groupMembershipAttributes": { SchemaProps: spec.SchemaProps{ - Description: "ca is a file containing trusted roots for the etcd server certificates", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "groupMembershipAttributes defines which attributes on an LDAP user entry will be interpreted as the groups it is a member of", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "certFile": { + "groupsQuery": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "AllGroupsQuery holds the template for an LDAP query that returns group entries.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), }, }, - "keyFile": { + "groupUIDAttribute": { SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Description: "GroupUIDAttributes defines which attribute on an LDAP group entry will be interpreted as its unique identifier. (ldapGroupUID)", Default: "", Type: []string{"string"}, Format: "", }, }, + "groupNameAttributes": { + SchemaProps: spec.SchemaProps{ + Description: "groupNameAttributes defines which attributes on an LDAP group entry will be interpreted as its name to use for an OpenShift group", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, }, - Required: []string{"urls", "ca", "certFile", "keyFile"}, + Required: []string{"usersQuery", "userNameAttributes", "groupMembershipAttributes", "groupsQuery", "groupUIDAttribute", "groupNameAttributes"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.LDAPQuery"}, } } -func schema_openshift_api_legacyconfig_v1_EtcdStorageConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_BasicAuthPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EtcdStorageConfig holds the necessary configuration options for the etcd storage underlying OpenShift and Kubernetes", + Description: "BasicAuthPasswordIdentityProvider provides identities for users authenticating using HTTP basic auth credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kubernetesStorageVersion": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "kubernetesStorageVersion is the API version that Kube resources in etcd should be serialized to. This value should *not* be advanced until all clients in the cluster that read from etcd have code that allows them to read the new version.", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "url": { + SchemaProps: spec.SchemaProps{ + Description: "url is the remote URL to connect to", Default: "", Type: []string{"string"}, Format: "", }, }, - "kubernetesStoragePrefix": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "kubernetesStoragePrefix is the path within etcd that the Kubernetes resources will be rooted under. This value, if changed, will mean existing objects in etcd will no longer be located. The default value is 'kubernetes.io'.", + Description: "ca is the CA for verifying TLS connections", Default: "", Type: []string{"string"}, Format: "", }, }, - "openShiftStorageVersion": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "openShiftStorageVersion is the API version that OS resources in etcd should be serialized to. This value should *not* be advanced until all clients in the cluster that read from etcd have code that allows them to read the new version.", + Description: "certFile is a file containing a PEM-encoded certificate", Default: "", Type: []string{"string"}, Format: "", }, }, - "openShiftStoragePrefix": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "openShiftStoragePrefix is the path within etcd that the OpenShift resources will be rooted under. This value, if changed, will mean existing objects in etcd will no longer be located. The default value is 'openshift.io'.", + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"kubernetesStorageVersion", "kubernetesStoragePrefix", "openShiftStorageVersion", "openShiftStoragePrefix"}, + Required: []string{"url", "ca", "certFile", "keyFile"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_GitHubIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_BuildDefaultsConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GitHubIdentityProvider provides identities for users authenticating using GitHub credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "BuildDefaultsConfig controls the default information for Builds\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -29628,40 +30661,67 @@ func schema_openshift_api_legacyconfig_v1_GitHubIdentityProvider(ref common.Refe Format: "", }, }, - "clientID": { + "gitHTTPProxy": { SchemaProps: spec.SchemaProps{ - Description: "clientID is the oauth client ID", - Default: "", + Description: "gitHTTPProxy is the location of the HTTPProxy for Git source", Type: []string{"string"}, Format: "", }, }, - "clientSecret": { + "gitHTTPSProxy": { SchemaProps: spec.SchemaProps{ - Description: "clientSecret is the oauth client secret", - Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), + Description: "gitHTTPSProxy is the location of the HTTPSProxy for Git source", + Type: []string{"string"}, + Format: "", }, }, - "organizations": { + "gitNoProxy": { SchemaProps: spec.SchemaProps{ - Description: "organizations optionally restricts which organizations are allowed to log in", + Description: "gitNoProxy is the list of domains for which the proxy should not be used", + Type: []string{"string"}, + Format: "", + }, + }, + "env": { + SchemaProps: spec.SchemaProps{ + Description: "env is a set of default environment variables that will be applied to the build if the specified variables do not exist on the build", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.EnvVar"), }, }, }, }, }, - "teams": { + "sourceStrategyDefaults": { SchemaProps: spec.SchemaProps{ - Description: "teams optionally restricts which teams are allowed to log in. Format is /.", + Description: "sourceStrategyDefaults are default values that apply to builds using the source strategy.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.SourceStrategyDefaultsConfig"), + }, + }, + "imageLabels": { + SchemaProps: spec.SchemaProps{ + Description: "imageLabels is a list of labels that are applied to the resulting image. User can override a default label by providing a label with the same name in their Build/BuildConfig.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/build/v1.ImageLabel"), + }, + }, + }, + }, + }, + "nodeSelector": { + SchemaProps: spec.SchemaProps{ + Description: "nodeSelector is a selector which must be true for the build pod to fit on a node", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: "", @@ -29672,36 +30732,42 @@ func schema_openshift_api_legacyconfig_v1_GitHubIdentityProvider(ref common.Refe }, }, }, - "hostname": { + "annotations": { SchemaProps: spec.SchemaProps{ - Description: "hostname is the optional domain (e.g. \"mycompany.com\") for use with a hosted instance of GitHub Enterprise. It must match the GitHub Enterprise settings value that is configured at /setup/settings#hostname.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "annotations are annotations that will be added to the build pod", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "ca": { + "resources": { SchemaProps: spec.SchemaProps{ - Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server. If empty, the default system roots are used. This can only be configured when hostname is set to a non-empty value.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "resources defines resource requirements to execute the build.", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.ResourceRequirements"), }, }, }, - Required: []string{"clientID", "clientSecret", "organizations", "teams", "hostname", "ca"}, }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.StringSource"}, + "github.com/openshift/api/build/v1.ImageLabel", "github.com/openshift/api/legacyconfig/v1.SourceStrategyDefaultsConfig", "k8s.io/api/core/v1.EnvVar", "k8s.io/api/core/v1.ResourceRequirements"}, } } -func schema_openshift_api_legacyconfig_v1_GitLabIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_BuildOverridesConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GitLabIdentityProvider provides identities for users authenticating using GitLab credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "BuildOverridesConfig controls override settings for builds\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -29718,541 +30784,569 @@ func schema_openshift_api_legacyconfig_v1_GitLabIdentityProvider(ref common.Refe Format: "", }, }, - "ca": { + "forcePull": { SchemaProps: spec.SchemaProps{ - Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", - Default: "", - Type: []string{"string"}, + Description: "forcePull indicates whether the build strategy should always be set to ForcePull=true", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, - "url": { + "imageLabels": { SchemaProps: spec.SchemaProps{ - Description: "url is the oauth server base URL", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "imageLabels is a list of labels that are applied to the resulting image. If user provided a label in their Build/BuildConfig with the same name as one in this list, the user's label will be overwritten.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/build/v1.ImageLabel"), + }, + }, + }, }, }, - "clientID": { + "nodeSelector": { SchemaProps: spec.SchemaProps{ - Description: "clientID is the oauth client ID", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "nodeSelector is a selector which must be true for the build pod to fit on a node", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "clientSecret": { + "annotations": { SchemaProps: spec.SchemaProps{ - Description: "clientSecret is the oauth client secret", - Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), + Description: "annotations are annotations that will be added to the build pod", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "legacy": { + "tolerations": { SchemaProps: spec.SchemaProps{ - Description: "legacy determines if OAuth2 or OIDC should be used If true, OAuth2 is used If false, OIDC is used If nil and the URL's host is gitlab.com, OIDC is used Otherwise, OAuth2 is used In a future release, nil will default to using OIDC Eventually this flag will be removed and only OIDC will be used", - Type: []string{"boolean"}, - Format: "", + Description: "tolerations is a list of Tolerations that will override any existing tolerations set on a build pod.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.Toleration"), + }, + }, + }, }, }, }, - Required: []string{"ca", "url", "clientID", "clientSecret"}, + Required: []string{"forcePull"}, }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.StringSource"}, + "github.com/openshift/api/build/v1.ImageLabel", "k8s.io/api/core/v1.Toleration"}, } } -func schema_openshift_api_legacyconfig_v1_GoogleIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_CertInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GoogleIdentityProvider provides identities for users authenticating using Google credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "CertInfo relates a certificate with a private key", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "certFile is a file containing a PEM-encoded certificate", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "clientID": { - SchemaProps: spec.SchemaProps{ - Description: "clientID is the oauth client ID", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "clientSecret": { - SchemaProps: spec.SchemaProps{ - Description: "clientSecret is the oauth client secret", - Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), - }, - }, - "hostedDomain": { - SchemaProps: spec.SchemaProps{ - Description: "hostedDomain is the optional Google App domain (e.g. \"mycompany.com\") to restrict logins to", + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"clientID", "clientSecret", "hostedDomain"}, + Required: []string{"certFile", "keyFile"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_GrantConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ClientConnectionOverrides(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GrantConfig holds the necessary configuration options for grant handlers", + Description: "ClientConnectionOverrides are a set of overrides to the default client connection settings.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "method": { + "acceptContentTypes": { SchemaProps: spec.SchemaProps{ - Description: "method determines the default strategy to use when an OAuth client requests a grant. This method will be used only if the specific OAuth client doesn't provide a strategy of their own. Valid grant handling methods are:\n - auto: always approves grant requests, useful for trusted clients\n - prompt: prompts the end user for approval of grant requests, useful for third-party clients\n - deny: always denies grant requests, useful for black-listed clients", + Description: "acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the default value of 'application/json'. This field will control all connections to the server used by a particular client.", Default: "", Type: []string{"string"}, Format: "", }, }, - "serviceAccountMethod": { + "contentType": { SchemaProps: spec.SchemaProps{ - Description: "serviceAccountMethod is used for determining client authorization for service account oauth client. It must be either: deny, prompt", + Description: "contentType is the content type used when sending data to the server from this client.", Default: "", Type: []string{"string"}, Format: "", }, }, + "qps": { + SchemaProps: spec.SchemaProps{ + Description: "qps controls the number of queries per second allowed for this connection.", + Default: 0, + Type: []string{"number"}, + Format: "float", + }, + }, + "burst": { + SchemaProps: spec.SchemaProps{ + Description: "burst allows extra queries to accumulate when a client is exceeding its rate.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, }, - Required: []string{"method", "serviceAccountMethod"}, + Required: []string{"acceptContentTypes", "contentType", "qps", "burst"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_GroupResource(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ClusterNetworkEntry(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GroupResource points to a resource by its name and API group.", + Description: "ClusterNetworkEntry defines an individual cluster network. The CIDRs cannot overlap with other cluster network CIDRs, CIDRs reserved for external ips, CIDRs reserved for service networks, and CIDRs reserved for ingress ips.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "group": { + "cidr": { SchemaProps: spec.SchemaProps{ - Description: "group is the name of an API group", + Description: "cidr defines the total range of a cluster networks address space.", Default: "", Type: []string{"string"}, Format: "", }, }, - "resource": { + "hostSubnetLength": { SchemaProps: spec.SchemaProps{ - Description: "resource is the name of a resource.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "hostSubnetLength is the number of bits of the accompanying CIDR address to allocate to each node. eg, 8 would mean that each node would have a /24 slice of the overlay network for its pod.", + Default: 0, + Type: []string{"integer"}, + Format: "int64", }, }, }, - Required: []string{"group", "resource"}, + Required: []string{"cidr", "hostSubnetLength"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_HTPasswdPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ControllerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "HTPasswdPasswordIdentityProvider provides identities for users authenticating using htpasswd credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "ControllerConfig holds configuration values for controllers", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "controllers": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", + Description: "controllers is a list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller \"+ named 'foo', '-foo' disables the controller named 'foo'. Defaults to \"*\".", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "apiVersion": { + "election": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", + Description: "election defines the configuration for electing a controller instance to make changes to the cluster. If unspecified, the ControllerTTL value is checked to determine whether the legacy direct etcd election code will be used.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.ControllerElectionConfig"), }, }, - "file": { + "serviceServingCert": { SchemaProps: spec.SchemaProps{ - Description: "file is a reference to your htpasswd file", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "serviceServingCert holds configuration for service serving cert signer which creates cert/key pairs for pods fulfilling a service to serve with.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.ServiceServingCert"), }, }, }, - Required: []string{"file"}, + Required: []string{"controllers", "election", "serviceServingCert"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.ControllerElectionConfig", "github.com/openshift/api/legacyconfig/v1.ServiceServingCert"}, } } -func schema_openshift_api_legacyconfig_v1_HTTPServingInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ControllerElectionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "HTTPServingInfo holds configuration for serving HTTP", + Description: "ControllerElectionConfig contains configuration values for deciding how a controller will be elected to act as leader.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "bindAddress": { + "lockName": { SchemaProps: spec.SchemaProps{ - Description: "bindAddress is the ip:port to serve on", + Description: "lockName is the resource name used to act as the lock for determining which controller instance should lead.", Default: "", Type: []string{"string"}, Format: "", }, }, - "bindNetwork": { + "lockNamespace": { SchemaProps: spec.SchemaProps{ - Description: "bindNetwork is the type of network to bind to - defaults to \"tcp4\", accepts \"tcp\", \"tcp4\", and \"tcp6\"", + Description: "lockNamespace is the resource namespace used to act as the lock for determining which controller instance should lead. It defaults to \"kube-system\"", Default: "", Type: []string{"string"}, Format: "", }, }, - "certFile": { + "lockResource": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "lockResource is the group and resource name to use to coordinate for the controller lock. If unset, defaults to \"configmaps\".", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.GroupResource"), }, }, - "keyFile": { + }, + Required: []string{"lockName", "lockNamespace", "lockResource"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.GroupResource"}, + } +} + +func schema_openshift_api_legacyconfig_v1_DNSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "DNSConfig holds the necessary configuration options for DNS", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "bindAddress": { SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Description: "bindAddress is the ip:port to serve DNS on", Default: "", Type: []string{"string"}, Format: "", }, }, - "clientCA": { + "bindNetwork": { SchemaProps: spec.SchemaProps{ - Description: "clientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates", + Description: "bindNetwork is the type of network to bind to - defaults to \"tcp4\", accepts \"tcp\", \"tcp4\", and \"tcp6\"", Default: "", Type: []string{"string"}, Format: "", }, }, - "namedCertificates": { - SchemaProps: spec.SchemaProps{ - Description: "namedCertificates is a list of certificates to use to secure requests to specific hostnames", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.NamedCertificate"), - }, - }, - }, - }, - }, - "minTLSVersion": { + "allowRecursiveQueries": { SchemaProps: spec.SchemaProps{ - Description: "minTLSVersion is the minimum TLS version supported. Values must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants", - Type: []string{"string"}, + Description: "allowRecursiveQueries allows the DNS server on the master to answer queries recursively. Note that open resolvers can be used for DNS amplification attacks and the master DNS should not be made accessible to public networks.", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, - "cipherSuites": { - SchemaProps: spec.SchemaProps{ - Description: "cipherSuites contains an overridden list of ciphers for the server to support. Values must match cipher suite IDs from https://golang.org/pkg/crypto/tls/#pkg-constants", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "maxRequestsInFlight": { - SchemaProps: spec.SchemaProps{ - Description: "maxRequestsInFlight is the number of concurrent requests allowed to the server. If zero, no limit.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "requestTimeoutSeconds": { - SchemaProps: spec.SchemaProps{ - Description: "requestTimeoutSeconds is the number of seconds before requests are timed out. The default is 60 minutes, if -1 there is no limit on requests.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, }, - Required: []string{"bindAddress", "bindNetwork", "certFile", "keyFile", "clientCA", "namedCertificates", "maxRequestsInFlight", "requestTimeoutSeconds"}, + Required: []string{"bindAddress", "bindNetwork", "allowRecursiveQueries"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.NamedCertificate"}, } } -func schema_openshift_api_legacyconfig_v1_IdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_DefaultAdmissionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "IdentityProvider provides identities for users authenticating using credentials", + Description: "DefaultAdmissionConfig can be used to enable or disable various admission plugins. When this type is present as the `configuration` object under `pluginConfig` and *if* the admission plugin supports it, this will cause an \"off by default\" admission plugin to be enabled\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "name is used to qualify the identities returned by this provider", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "challenge": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "UseAsChallenger indicates whether to issue WWW-Authenticate challenges for this provider", - Default: false, - Type: []string{"boolean"}, + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, Format: "", }, }, - "login": { + "disable": { SchemaProps: spec.SchemaProps{ - Description: "UseAsLogin indicates whether to use this identity provider for unauthenticated browsers to login against", + Description: "disable turns off an admission plugin that is enabled by default.", Default: false, Type: []string{"boolean"}, Format: "", }, }, - "mappingMethod": { + }, + Required: []string{"disable"}, + }, + }, + } +} + +func schema_openshift_api_legacyconfig_v1_DenyAllPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "DenyAllPasswordIdentityProvider provides no identities for users\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { SchemaProps: spec.SchemaProps{ - Description: "mappingMethod determines how identities from this provider are mapped to users", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "provider": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "provider contains the information about how to set up a specific identity provider", - Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"name", "challenge", "login", "mappingMethod", "provider"}, }, }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } -func schema_openshift_api_legacyconfig_v1_ImageConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_DockerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ImageConfig holds the necessary configuration options for building image names for system components", + Description: "DockerConfig holds Docker related configuration options.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "format": { + "execHandlerName": { SchemaProps: spec.SchemaProps{ - Description: "format is the format of the name to be built for the system component", + Description: "execHandlerName is the name of the handler to use for executing commands in containers.", Default: "", Type: []string{"string"}, Format: "", }, }, - "latest": { + "dockerShimSocket": { SchemaProps: spec.SchemaProps{ - Description: "latest determines if the latest tag will be pulled from the registry", - Default: false, - Type: []string{"boolean"}, + Description: "dockerShimSocket is the location of the dockershim socket the kubelet uses. Currently unix socket is supported on Linux, and tcp is supported on windows. Examples:'unix:///var/run/dockershim.sock', 'tcp://localhost:3735'", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "dockerShimRootDirectory": { + SchemaProps: spec.SchemaProps{ + Description: "dockerShimRootDirectory is the dockershim root directory.", + Default: "", + Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"format", "latest"}, + Required: []string{"execHandlerName", "dockerShimSocket", "dockerShimRootDirectory"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_ImagePolicyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_EtcdConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ImagePolicyConfig holds the necessary configuration options for limits and behavior for importing images", + Description: "EtcdConfig holds the necessary configuration options for connecting with an etcd database", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "maxImagesBulkImportedPerRepository": { + "servingInfo": { SchemaProps: spec.SchemaProps{ - Description: "maxImagesBulkImportedPerRepository controls the number of images that are imported when a user does a bulk import of a container repository. This number defaults to 50 to prevent users from importing large numbers of images accidentally. Set -1 for no limit.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "servingInfo describes how to start serving the etcd master", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.ServingInfo"), }, }, - "disableScheduledImport": { + "address": { SchemaProps: spec.SchemaProps{ - Description: "disableScheduledImport allows scheduled background import of images to be disabled.", - Default: false, - Type: []string{"boolean"}, + Description: "address is the advertised host:port for client connections to etcd", + Default: "", + Type: []string{"string"}, Format: "", }, }, - "scheduledImageImportMinimumIntervalSeconds": { + "peerServingInfo": { SchemaProps: spec.SchemaProps{ - Description: "scheduledImageImportMinimumIntervalSeconds is the minimum number of seconds that can elapse between when image streams scheduled for background import are checked against the upstream repository. The default value is 15 minutes.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "peerServingInfo describes how to start serving the etcd peer", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.ServingInfo"), }, }, - "maxScheduledImageImportsPerMinute": { + "peerAddress": { SchemaProps: spec.SchemaProps{ - Description: "maxScheduledImageImportsPerMinute is the maximum number of scheduled image streams that will be imported in the background per minute. The default value is 60. Set to -1 for unlimited.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "peerAddress is the advertised host:port for peer connections to etcd", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "allowedRegistriesForImport": { + "storageDirectory": { SchemaProps: spec.SchemaProps{ - Description: "allowedRegistriesForImport limits the container image registries that normal users may import images from. Set this list to the registries that you trust to contain valid Docker images and that you want applications to be able to import from. Users with permission to create Images or ImageStreamMappings via the API are not affected by this policy - typically only administrators or system integrations will have those permissions.", + Description: "StorageDir is the path to the etcd storage directory", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"servingInfo", "address", "peerServingInfo", "peerAddress", "storageDirectory"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.ServingInfo"}, + } +} + +func schema_openshift_api_legacyconfig_v1_EtcdConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "EtcdConnectionInfo holds information necessary for connecting to an etcd server", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "urls": { + SchemaProps: spec.SchemaProps{ + Description: "urls are the URLs for etcd", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.RegistryLocation"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "internalRegistryHostname": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "internalRegistryHostname sets the hostname for the default internal image registry. The value must be in \"hostname[:port]\" format.", + Description: "ca is a file containing trusted roots for the etcd server certificates", + Default: "", Type: []string{"string"}, Format: "", }, }, - "externalRegistryHostname": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "externalRegistryHostname sets the hostname for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in \"hostname[:port]\" format.", + Description: "certFile is a file containing a PEM-encoded certificate", + Default: "", Type: []string{"string"}, Format: "", }, }, - "additionalTrustedCA": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "additionalTrustedCA is a path to a pem bundle file containing additional CAs that should be trusted during imagestream import.", + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"maxImagesBulkImportedPerRepository", "disableScheduledImport", "scheduledImageImportMinimumIntervalSeconds", "maxScheduledImageImportsPerMinute"}, + Required: []string{"urls", "ca", "certFile", "keyFile"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.RegistryLocation"}, } } -func schema_openshift_api_legacyconfig_v1_JenkinsPipelineConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_EtcdStorageConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "JenkinsPipelineConfig holds configuration for the Jenkins pipeline strategy", + Description: "EtcdStorageConfig holds the necessary configuration options for the etcd storage underlying OpenShift and Kubernetes", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "autoProvisionEnabled": { + "kubernetesStorageVersion": { SchemaProps: spec.SchemaProps{ - Description: "autoProvisionEnabled determines whether a Jenkins server will be spawned from the provided template when the first build config in the project with type JenkinsPipeline is created. When not specified this option defaults to true.", - Type: []string{"boolean"}, + Description: "kubernetesStorageVersion is the API version that Kube resources in etcd should be serialized to. This value should *not* be advanced until all clients in the cluster that read from etcd have code that allows them to read the new version.", + Default: "", + Type: []string{"string"}, Format: "", }, }, - "templateNamespace": { + "kubernetesStoragePrefix": { SchemaProps: spec.SchemaProps{ - Description: "templateNamespace contains the namespace name where the Jenkins template is stored", + Description: "kubernetesStoragePrefix is the path within etcd that the Kubernetes resources will be rooted under. This value, if changed, will mean existing objects in etcd will no longer be located. The default value is 'kubernetes.io'.", Default: "", Type: []string{"string"}, Format: "", }, }, - "templateName": { + "openShiftStorageVersion": { SchemaProps: spec.SchemaProps{ - Description: "templateName is the name of the default Jenkins template", + Description: "openShiftStorageVersion is the API version that OS resources in etcd should be serialized to. This value should *not* be advanced until all clients in the cluster that read from etcd have code that allows them to read the new version.", Default: "", Type: []string{"string"}, Format: "", }, }, - "serviceName": { + "openShiftStoragePrefix": { SchemaProps: spec.SchemaProps{ - Description: "serviceName is the name of the Jenkins service OpenShift uses to detect whether a Jenkins pipeline handler has already been installed in a project. This value *must* match a service name in the provided template.", + Description: "openShiftStoragePrefix is the path within etcd that the OpenShift resources will be rooted under. This value, if changed, will mean existing objects in etcd will no longer be located. The default value is 'openshift.io'.", Default: "", Type: []string{"string"}, Format: "", }, }, - "parameters": { - SchemaProps: spec.SchemaProps{ - Description: "parameters specifies a set of optional parameters to the Jenkins template.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, }, - Required: []string{"autoProvisionEnabled", "templateNamespace", "templateName", "serviceName", "parameters"}, + Required: []string{"kubernetesStorageVersion", "kubernetesStoragePrefix", "openShiftStorageVersion", "openShiftStoragePrefix"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_KeystonePasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_GitHubIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "GitHubIdentityProvider provides identities for users authenticating using GitHub credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -30269,340 +31363,361 @@ func schema_openshift_api_legacyconfig_v1_KeystonePasswordIdentityProvider(ref c Format: "", }, }, - "url": { + "clientID": { SchemaProps: spec.SchemaProps{ - Description: "url is the remote URL to connect to", + Description: "clientID is the oauth client ID", Default: "", Type: []string{"string"}, Format: "", }, }, - "ca": { + "clientSecret": { SchemaProps: spec.SchemaProps{ - Description: "ca is the CA for verifying TLS connections", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "clientSecret is the oauth client secret", + Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), }, }, - "certFile": { + "organizations": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "organizations optionally restricts which organizations are allowed to log in", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "keyFile": { + "teams": { SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "teams optionally restricts which teams are allowed to log in. Format is /.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "domainName": { + "hostname": { SchemaProps: spec.SchemaProps{ - Description: "Domain Name is required for keystone v3", + Description: "hostname is the optional domain (e.g. \"mycompany.com\") for use with a hosted instance of GitHub Enterprise. It must match the GitHub Enterprise settings value that is configured at /setup/settings#hostname.", Default: "", Type: []string{"string"}, Format: "", }, }, - "useKeystoneIdentity": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "useKeystoneIdentity flag indicates that user should be authenticated by keystone ID, not by username", - Default: false, - Type: []string{"boolean"}, + Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server. If empty, the default system roots are used. This can only be configured when hostname is set to a non-empty value.", + Default: "", + Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"url", "ca", "certFile", "keyFile", "domainName", "useKeystoneIdentity"}, + Required: []string{"clientID", "clientSecret", "organizations", "teams", "hostname", "ca"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_KubeletConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_GitLabIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "KubeletConnectionInfo holds information necessary for connecting to a kubelet", + Description: "GitLabIdentityProvider provides identities for users authenticating using GitLab credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "port": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "port is the port to connect to kubelets on", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", }, }, - "ca": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "ca is the CA for verifying TLS connections to kubelets", - Default: "", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - "certFile": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", + Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", Default: "", Type: []string{"string"}, Format: "", }, }, - "keyFile": { + "url": { SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Description: "url is the oauth server base URL", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "clientID": { + SchemaProps: spec.SchemaProps{ + Description: "clientID is the oauth client ID", Default: "", Type: []string{"string"}, Format: "", }, }, + "clientSecret": { + SchemaProps: spec.SchemaProps{ + Description: "clientSecret is the oauth client secret", + Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), + }, + }, + "legacy": { + SchemaProps: spec.SchemaProps{ + Description: "legacy determines if OAuth2 or OIDC should be used If true, OAuth2 is used If false, OIDC is used If nil and the URL's host is gitlab.com, OIDC is used Otherwise, OAuth2 is used In a future release, nil will default to using OIDC Eventually this flag will be removed and only OIDC will be used", + Type: []string{"boolean"}, + Format: "", + }, + }, }, - Required: []string{"port", "ca", "certFile", "keyFile"}, + Required: []string{"ca", "url", "clientID", "clientSecret"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_KubernetesMasterConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_GoogleIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "KubernetesMasterConfig holds the necessary configuration options for the Kubernetes master", + Description: "GoogleIdentityProvider provides identities for users authenticating using Google credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "apiLevels": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "apiLevels is a list of API levels that should be enabled on startup: v1 as examples", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", }, }, - "disabledAPIGroupVersions": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "disabledAPIGroupVersions is a map of groups to the versions (or *) that should be disabled.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, - "masterIP": { + "clientID": { SchemaProps: spec.SchemaProps{ - Description: "masterIP is the public IP address of kubernetes stuff. If empty, the first result from net.InterfaceAddrs will be used.", + Description: "clientID is the oauth client ID", Default: "", Type: []string{"string"}, Format: "", }, }, - "masterEndpointReconcileTTL": { + "clientSecret": { SchemaProps: spec.SchemaProps{ - Description: "masterEndpointReconcileTTL sets the time to live in seconds of an endpoint record recorded by each master. The endpoints are checked at an interval that is 2/3 of this value and this value defaults to 15s if unset. In very large clusters, this value may be increased to reduce the possibility that the master endpoint record expires (due to other load on the etcd server) and causes masters to drop in and out of the kubernetes service record. It is not recommended to set this value below 15s.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "clientSecret is the oauth client secret", + Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), }, }, - "servicesSubnet": { + "hostedDomain": { SchemaProps: spec.SchemaProps{ - Description: "servicesSubnet is the subnet to use for assigning service IPs", + Description: "hostedDomain is the optional Google App domain (e.g. \"mycompany.com\") to restrict logins to", Default: "", Type: []string{"string"}, Format: "", }, }, - "servicesNodePortRange": { + }, + Required: []string{"clientID", "clientSecret", "hostedDomain"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.StringSource"}, + } +} + +func schema_openshift_api_legacyconfig_v1_GrantConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "GrantConfig holds the necessary configuration options for grant handlers", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "method": { SchemaProps: spec.SchemaProps{ - Description: "servicesNodePortRange is the range to use for assigning service public ports on a host.", + Description: "method determines the default strategy to use when an OAuth client requests a grant. This method will be used only if the specific OAuth client doesn't provide a strategy of their own. Valid grant handling methods are:\n - auto: always approves grant requests, useful for trusted clients\n - prompt: prompts the end user for approval of grant requests, useful for third-party clients\n - deny: always denies grant requests, useful for black-listed clients", Default: "", Type: []string{"string"}, Format: "", }, }, - "schedulerConfigFile": { + "serviceAccountMethod": { SchemaProps: spec.SchemaProps{ - Description: "schedulerConfigFile points to a file that describes how to set up the scheduler. If empty, you get the default scheduling rules.", + Description: "serviceAccountMethod is used for determining client authorization for service account oauth client. It must be either: deny, prompt", Default: "", Type: []string{"string"}, Format: "", }, }, - "podEvictionTimeout": { + }, + Required: []string{"method", "serviceAccountMethod"}, + }, + }, + } +} + +func schema_openshift_api_legacyconfig_v1_GroupResource(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "GroupResource points to a resource by its name and API group.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "group": { SchemaProps: spec.SchemaProps{ - Description: "podEvictionTimeout controls grace period for deleting pods on failed nodes. It takes valid time duration string. If empty, you get the default pod eviction timeout.", + Description: "group is the name of an API group", Default: "", Type: []string{"string"}, Format: "", }, }, - "proxyClientInfo": { + "resource": { SchemaProps: spec.SchemaProps{ - Description: "proxyClientInfo specifies the client cert/key to use when proxying to pods", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.CertInfo"), + Description: "resource is the name of a resource.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "apiServerArguments": { + }, + Required: []string{"group", "resource"}, + }, + }, + } +} + +func schema_openshift_api_legacyconfig_v1_HTPasswdPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "HTPasswdPasswordIdentityProvider provides identities for users authenticating using htpasswd credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { SchemaProps: spec.SchemaProps{ - Description: "apiServerArguments are key value pairs that will be passed directly to the Kube apiserver that match the apiservers's command line arguments. These are not migrated, but if you reference a value that does not exist the server will not start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", }, }, - "controllerArguments": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "controllerArguments are key value pairs that will be passed directly to the Kube controller manager that match the controller manager's command line arguments. These are not migrated, but if you reference a value that does not exist the server will not start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, - "schedulerArguments": { + "file": { SchemaProps: spec.SchemaProps{ - Description: "schedulerArguments are key value pairs that will be passed directly to the Kube scheduler that match the scheduler's command line arguments. These are not migrated, but if you reference a value that does not exist the server will not start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, + Description: "file is a reference to your htpasswd file", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"apiLevels", "disabledAPIGroupVersions", "masterIP", "masterEndpointReconcileTTL", "servicesSubnet", "servicesNodePortRange", "schedulerConfigFile", "podEvictionTimeout", "proxyClientInfo", "apiServerArguments", "controllerArguments", "schedulerArguments"}, + Required: []string{"file"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.CertInfo"}, } } -func schema_openshift_api_legacyconfig_v1_LDAPAttributeMapping(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_HTTPServingInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "LDAPAttributeMapping maps LDAP attributes to OpenShift identity fields", + Description: "HTTPServingInfo holds configuration for serving HTTP", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "id": { + "bindAddress": { SchemaProps: spec.SchemaProps{ - Description: "id is the list of attributes whose values should be used as the user ID. Required. LDAP standard identity attribute is \"dn\"", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "bindAddress is the ip:port to serve on", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "preferredUsername": { + "bindNetwork": { SchemaProps: spec.SchemaProps{ - Description: "preferredUsername is the list of attributes whose values should be used as the preferred username. LDAP standard login attribute is \"uid\"", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "bindNetwork is the type of network to bind to - defaults to \"tcp4\", accepts \"tcp\", \"tcp4\", and \"tcp6\"", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "name": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "name is the list of attributes whose values should be used as the display name. Optional. If unspecified, no display name is set for the identity LDAP standard display name attribute is \"cn\"", + Description: "certFile is a file containing a PEM-encoded certificate", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "keyFile": { + SchemaProps: spec.SchemaProps{ + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "clientCA": { + SchemaProps: spec.SchemaProps{ + Description: "clientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "namedCertificates": { + SchemaProps: spec.SchemaProps{ + Description: "namedCertificates is a list of certificates to use to secure requests to specific hostnames", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.NamedCertificate"), }, }, }, }, }, - "email": { + "minTLSVersion": { SchemaProps: spec.SchemaProps{ - Description: "email is the list of attributes whose values should be used as the email address. Optional. If unspecified, no email is set for the identity", + Description: "minTLSVersion is the minimum TLS version supported. Values must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants", + Type: []string{"string"}, + Format: "", + }, + }, + "cipherSuites": { + SchemaProps: spec.SchemaProps{ + Description: "cipherSuites contains an overridden list of ciphers for the server to support. Values must match cipher suite IDs from https://golang.org/pkg/crypto/tls/#pkg-constants", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -30615,212 +31730,239 @@ func schema_openshift_api_legacyconfig_v1_LDAPAttributeMapping(ref common.Refere }, }, }, + "maxRequestsInFlight": { + SchemaProps: spec.SchemaProps{ + Description: "maxRequestsInFlight is the number of concurrent requests allowed to the server. If zero, no limit.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "requestTimeoutSeconds": { + SchemaProps: spec.SchemaProps{ + Description: "requestTimeoutSeconds is the number of seconds before requests are timed out. The default is 60 minutes, if -1 there is no limit on requests.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, }, - Required: []string{"id", "preferredUsername", "name", "email"}, + Required: []string{"bindAddress", "bindNetwork", "certFile", "keyFile", "clientCA", "namedCertificates", "maxRequestsInFlight", "requestTimeoutSeconds"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.NamedCertificate"}, } } -func schema_openshift_api_legacyconfig_v1_LDAPPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_IdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "LDAPPasswordIdentityProvider provides identities for users authenticating using LDAP credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "IdentityProvider provides identities for users authenticating using credentials", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "name is used to qualify the identities returned by this provider", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "challenge": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, + Description: "UseAsChallenger indicates whether to issue WWW-Authenticate challenges for this provider", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, - "url": { + "login": { SchemaProps: spec.SchemaProps{ - Description: "url is an RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is\n ldap://host:port/basedn?attribute?scope?filter", - Default: "", - Type: []string{"string"}, + Description: "UseAsLogin indicates whether to use this identity provider for unauthenticated browsers to login against", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, - "bindDN": { + "mappingMethod": { SchemaProps: spec.SchemaProps{ - Description: "bindDN is an optional DN to bind with during the search phase.", + Description: "mappingMethod determines how identities from this provider are mapped to users", Default: "", Type: []string{"string"}, Format: "", }, }, - "bindPassword": { - SchemaProps: spec.SchemaProps{ - Description: "bindPassword is an optional password to bind with during the search phase.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), - }, - }, - "insecure": { + "provider": { SchemaProps: spec.SchemaProps{ - Description: "Insecure, if true, indicates the connection should not use TLS. Cannot be set to true with a URL scheme of \"ldaps://\" If false, \"ldaps://\" URLs connect using TLS, and \"ldap://\" URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830", - Default: false, - Type: []string{"boolean"}, - Format: "", + Description: "provider contains the information about how to set up a specific identity provider", + Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), }, }, - "ca": { + }, + Required: []string{"name", "challenge", "login", "mappingMethod", "provider"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/runtime.RawExtension"}, + } +} + +func schema_openshift_api_legacyconfig_v1_ImageConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImageConfig holds the necessary configuration options for building image names for system components", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "format": { SchemaProps: spec.SchemaProps{ - Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", + Description: "format is the format of the name to be built for the system component", Default: "", Type: []string{"string"}, Format: "", }, }, - "attributes": { + "latest": { SchemaProps: spec.SchemaProps{ - Description: "attributes maps LDAP attributes to identities", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPAttributeMapping"), + Description: "latest determines if the latest tag will be pulled from the registry", + Default: false, + Type: []string{"boolean"}, + Format: "", }, }, }, - Required: []string{"url", "bindDN", "bindPassword", "insecure", "ca", "attributes"}, + Required: []string{"format", "latest"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.LDAPAttributeMapping", "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_LDAPQuery(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ImagePolicyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "LDAPQuery holds the options necessary to build an LDAP query", + Description: "ImagePolicyConfig holds the necessary configuration options for limits and behavior for importing images", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "baseDN": { + "maxImagesBulkImportedPerRepository": { SchemaProps: spec.SchemaProps{ - Description: "The DN of the branch of the directory where all searches should start from", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "maxImagesBulkImportedPerRepository controls the number of images that are imported when a user does a bulk import of a container repository. This number defaults to 50 to prevent users from importing large numbers of images accidentally. Set -1 for no limit.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "scope": { + "disableScheduledImport": { SchemaProps: spec.SchemaProps{ - Description: "The (optional) scope of the search. Can be: base: only the base object, one: all object on the base level, sub: the entire subtree Defaults to the entire subtree if not set", - Default: "", - Type: []string{"string"}, + Description: "disableScheduledImport allows scheduled background import of images to be disabled.", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, - "derefAliases": { + "scheduledImageImportMinimumIntervalSeconds": { SchemaProps: spec.SchemaProps{ - Description: "The (optional) behavior of the search with regards to alisases. Can be: never: never dereference aliases, search: only dereference in searching, base: only dereference in finding the base object, always: always dereference Defaults to always dereferencing if not set", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "scheduledImageImportMinimumIntervalSeconds is the minimum number of seconds that can elapse between when image streams scheduled for background import are checked against the upstream repository. The default value is 15 minutes.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "timeout": { + "maxScheduledImageImportsPerMinute": { SchemaProps: spec.SchemaProps{ - Description: "TimeLimit holds the limit of time in seconds that any request to the server can remain outstanding before the wait for a response is given up. If this is 0, no client-side limit is imposed", + Description: "maxScheduledImageImportsPerMinute is the maximum number of scheduled image streams that will be imported in the background per minute. The default value is 60. Set to -1 for unlimited.", Default: 0, Type: []string{"integer"}, Format: "int32", }, }, - "filter": { + "allowedRegistriesForImport": { SchemaProps: spec.SchemaProps{ - Description: "filter is a valid LDAP search filter that retrieves all relevant entries from the LDAP server with the base DN", - Default: "", + Description: "allowedRegistriesForImport limits the container image registries that normal users may import images from. Set this list to the registries that you trust to contain valid Docker images and that you want applications to be able to import from. Users with permission to create Images or ImageStreamMappings via the API are not affected by this policy - typically only administrators or system integrations will have those permissions.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.RegistryLocation"), + }, + }, + }, + }, + }, + "internalRegistryHostname": { + SchemaProps: spec.SchemaProps{ + Description: "internalRegistryHostname sets the hostname for the default internal image registry. The value must be in \"hostname[:port]\" format.", Type: []string{"string"}, Format: "", }, }, - "pageSize": { + "externalRegistryHostname": { SchemaProps: spec.SchemaProps{ - Description: "pageSize is the maximum preferred page size, measured in LDAP entries. A page size of 0 means no paging will be done.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "externalRegistryHostname sets the hostname for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in \"hostname[:port]\" format.", + Type: []string{"string"}, + Format: "", + }, + }, + "additionalTrustedCA": { + SchemaProps: spec.SchemaProps{ + Description: "additionalTrustedCA is a path to a pem bundle file containing additional CAs that should be trusted during imagestream import.", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"baseDN", "scope", "derefAliases", "timeout", "filter", "pageSize"}, + Required: []string{"maxImagesBulkImportedPerRepository", "disableScheduledImport", "scheduledImageImportMinimumIntervalSeconds", "maxScheduledImageImportsPerMinute"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.RegistryLocation"}, } } -func schema_openshift_api_legacyconfig_v1_LDAPSyncConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_JenkinsPipelineConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "LDAPSyncConfig holds the necessary configuration options to define an LDAP group sync\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "JenkinsPipelineConfig holds configuration for the Jenkins pipeline strategy", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "autoProvisionEnabled": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, + Description: "autoProvisionEnabled determines whether a Jenkins server will be spawned from the provided template when the first build config in the project with type JenkinsPipeline is created. When not specified this option defaults to true.", + Type: []string{"boolean"}, Format: "", }, }, - "apiVersion": { + "templateNamespace": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "templateNamespace contains the namespace name where the Jenkins template is stored", + Default: "", Type: []string{"string"}, Format: "", }, }, - "url": { + "templateName": { SchemaProps: spec.SchemaProps{ - Description: "Host is the scheme, host and port of the LDAP server to connect to: scheme://host:port", + Description: "templateName is the name of the default Jenkins template", Default: "", Type: []string{"string"}, Format: "", }, }, - "bindDN": { + "serviceName": { SchemaProps: spec.SchemaProps{ - Description: "bindDN is an optional DN to bind to the LDAP server with", + Description: "serviceName is the name of the Jenkins service OpenShift uses to detect whether a Jenkins pipeline handler has already been installed in a project. This value *must* match a service name in the provided template.", Default: "", Type: []string{"string"}, Format: "", }, }, - "bindPassword": { + "parameters": { SchemaProps: spec.SchemaProps{ - Description: "bindPassword is an optional password to bind with during the search phase.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), - }, - }, - "insecure": { - SchemaProps: spec.SchemaProps{ - Description: "Insecure, if true, indicates the connection should not use TLS. Cannot be set to true with a URL scheme of \"ldaps://\" If false, \"ldaps://\" URLs connect using TLS, and \"ldap://\" URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830", - Default: false, - Type: []string{"boolean"}, - Format: "", - }, - }, - "ca": { - SchemaProps: spec.SchemaProps{ - Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "groupUIDNameMapping": { - SchemaProps: spec.SchemaProps{ - Description: "LDAPGroupUIDToOpenShiftGroupNameMapping is an optional direct mapping of LDAP group UIDs to OpenShift Group names", + Description: "parameters specifies a set of optional parameters to the Jenkins template.", Type: []string{"object"}, AdditionalProperties: &spec.SchemaOrBool{ Allows: true, @@ -30834,134 +31976,18 @@ func schema_openshift_api_legacyconfig_v1_LDAPSyncConfig(ref common.ReferenceCal }, }, }, - "rfc2307": { - SchemaProps: spec.SchemaProps{ - Description: "RFC2307Config holds the configuration for extracting data from an LDAP server set up in a fashion similar to RFC2307: first-class group and user entries, with group membership determined by a multi-valued attribute on the group entry listing its members", - Ref: ref("github.com/openshift/api/legacyconfig/v1.RFC2307Config"), - }, - }, - "activeDirectory": { - SchemaProps: spec.SchemaProps{ - Description: "ActiveDirectoryConfig holds the configuration for extracting data from an LDAP server set up in a fashion similar to that used in Active Directory: first-class user entries, with group membership determined by a multi-valued attribute on members listing groups they are a member of", - Ref: ref("github.com/openshift/api/legacyconfig/v1.ActiveDirectoryConfig"), - }, - }, - "augmentedActiveDirectory": { - SchemaProps: spec.SchemaProps{ - Description: "AugmentedActiveDirectoryConfig holds the configuration for extracting data from an LDAP server set up in a fashion similar to that used in Active Directory as described above, with one addition: first-class group entries exist and are used to hold metadata but not group membership", - Ref: ref("github.com/openshift/api/legacyconfig/v1.AugmentedActiveDirectoryConfig"), - }, - }, }, - Required: []string{"url", "bindDN", "bindPassword", "insecure", "ca", "groupUIDNameMapping"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.ActiveDirectoryConfig", "github.com/openshift/api/legacyconfig/v1.AugmentedActiveDirectoryConfig", "github.com/openshift/api/legacyconfig/v1.RFC2307Config", "github.com/openshift/api/legacyconfig/v1.StringSource"}, - } -} - -func schema_openshift_api_legacyconfig_v1_LocalQuota(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "LocalQuota contains options for controlling local volume quota on the node.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "perFSGroup": { - SchemaProps: spec.SchemaProps{ - Description: "FSGroup can be specified to enable a quota on local storage use per unique FSGroup ID. At present this is only implemented for emptyDir volumes, and if the underlying volumeDirectory is on an XFS filesystem.", - Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), - }, - }, - }, - Required: []string{"perFSGroup"}, - }, - }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/api/resource.Quantity"}, - } -} - -func schema_openshift_api_legacyconfig_v1_MasterAuthConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "MasterAuthConfig configures authentication options in addition to the standard oauth token and client certificate authenticators", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "requestHeader": { - SchemaProps: spec.SchemaProps{ - Description: "requestHeader holds options for setting up a front proxy against the API. It is optional.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.RequestHeaderAuthenticationOptions"), - }, - }, - "webhookTokenAuthenticators": { - SchemaProps: spec.SchemaProps{ - Description: "WebhookTokenAuthnConfig, if present configures remote token reviewers", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.WebhookTokenAuthenticator"), - }, - }, - }, - }, - }, - "oauthMetadataFile": { - SchemaProps: spec.SchemaProps{ - Description: "oauthMetadataFile is a path to a file containing the discovery endpoint for OAuth 2.0 Authorization Server Metadata for an external OAuth server. See IETF Draft: // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 This option is mutually exclusive with OAuthConfig", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"requestHeader", "webhookTokenAuthenticators", "oauthMetadataFile"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.RequestHeaderAuthenticationOptions", "github.com/openshift/api/legacyconfig/v1.WebhookTokenAuthenticator"}, - } -} - -func schema_openshift_api_legacyconfig_v1_MasterClients(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "MasterClients holds references to `.kubeconfig` files that qualify master clients for OpenShift and Kubernetes", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "openshiftLoopbackKubeConfig": { - SchemaProps: spec.SchemaProps{ - Description: "openshiftLoopbackKubeConfig is a .kubeconfig filename for system components to loopback to this master", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "openshiftLoopbackClientConnectionOverrides": { - SchemaProps: spec.SchemaProps{ - Description: "openshiftLoopbackClientConnectionOverrides specifies client overrides for system components to loop back to this master.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.ClientConnectionOverrides"), - }, - }, - }, - Required: []string{"openshiftLoopbackKubeConfig", "openshiftLoopbackClientConnectionOverrides"}, + Required: []string{"autoProvisionEnabled", "templateNamespace", "templateName", "serviceName", "parameters"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.ClientConnectionOverrides"}, } } -func schema_openshift_api_legacyconfig_v1_MasterConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_KeystonePasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MasterConfig holds the necessary configuration options for the OpenShift master\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -30978,506 +32004,117 @@ func schema_openshift_api_legacyconfig_v1_MasterConfig(ref common.ReferenceCallb Format: "", }, }, - "servingInfo": { - SchemaProps: spec.SchemaProps{ - Description: "servingInfo describes how to start serving", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.HTTPServingInfo"), - }, - }, - "authConfig": { - SchemaProps: spec.SchemaProps{ - Description: "authConfig configures authentication options in addition to the standard oauth token and client certificate authenticators", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.MasterAuthConfig"), - }, - }, - "aggregatorConfig": { - SchemaProps: spec.SchemaProps{ - Description: "aggregatorConfig has options for configuring the aggregator component of the API server.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.AggregatorConfig"), - }, - }, - "corsAllowedOrigins": { - SchemaProps: spec.SchemaProps{ - Description: "CORSAllowedOrigins", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "apiLevels": { - SchemaProps: spec.SchemaProps{ - Description: "apiLevels is a list of API levels that should be enabled on startup: v1 as examples", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "masterPublicURL": { + "url": { SchemaProps: spec.SchemaProps{ - Description: "masterPublicURL is how clients can access the OpenShift API server", + Description: "url is the remote URL to connect to", Default: "", Type: []string{"string"}, Format: "", }, }, - "controllers": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "controllers is a list of the controllers that should be started. If set to \"none\", no controllers will start automatically. The default value is \"*\" which will start all controllers. When using \"*\", you may exclude controllers by prepending a \"-\" in front of their name. No other values are recognized at this time.", + Description: "ca is the CA for verifying TLS connections", Default: "", Type: []string{"string"}, Format: "", }, }, - "admissionConfig": { - SchemaProps: spec.SchemaProps{ - Description: "admissionConfig contains admission control plugin configuration.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.AdmissionConfig"), - }, - }, - "controllerConfig": { - SchemaProps: spec.SchemaProps{ - Description: "controllerConfig holds configuration values for controllers", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ControllerConfig"), - }, - }, - "etcdStorageConfig": { - SchemaProps: spec.SchemaProps{ - Description: "etcdStorageConfig contains information about how API resources are stored in Etcd. These values are only relevant when etcd is the backing store for the cluster.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.EtcdStorageConfig"), - }, - }, - "etcdClientInfo": { - SchemaProps: spec.SchemaProps{ - Description: "etcdClientInfo contains information about how to connect to etcd", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.EtcdConnectionInfo"), - }, - }, - "kubeletClientInfo": { - SchemaProps: spec.SchemaProps{ - Description: "kubeletClientInfo contains information about how to connect to kubelets", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.KubeletConnectionInfo"), - }, - }, - "kubernetesMasterConfig": { - SchemaProps: spec.SchemaProps{ - Description: "KubernetesMasterConfig, if present start the kubernetes master in this process", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.KubernetesMasterConfig"), - }, - }, - "etcdConfig": { - SchemaProps: spec.SchemaProps{ - Description: "EtcdConfig, if present start etcd in this process", - Ref: ref("github.com/openshift/api/legacyconfig/v1.EtcdConfig"), - }, - }, - "oauthConfig": { - SchemaProps: spec.SchemaProps{ - Description: "OAuthConfig, if present start the /oauth endpoint in this process", - Ref: ref("github.com/openshift/api/legacyconfig/v1.OAuthConfig"), - }, - }, - "dnsConfig": { - SchemaProps: spec.SchemaProps{ - Description: "DNSConfig, if present start the DNS server in this process", - Ref: ref("github.com/openshift/api/legacyconfig/v1.DNSConfig"), - }, - }, - "serviceAccountConfig": { - SchemaProps: spec.SchemaProps{ - Description: "serviceAccountConfig holds options related to service accounts", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ServiceAccountConfig"), - }, - }, - "masterClients": { - SchemaProps: spec.SchemaProps{ - Description: "masterClients holds all the client connection information for controllers and other system components", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.MasterClients"), - }, - }, - "imageConfig": { - SchemaProps: spec.SchemaProps{ - Description: "imageConfig holds options that describe how to build image names for system components", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ImageConfig"), - }, - }, - "imagePolicyConfig": { - SchemaProps: spec.SchemaProps{ - Description: "imagePolicyConfig controls limits and behavior for importing images", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ImagePolicyConfig"), - }, - }, - "policyConfig": { - SchemaProps: spec.SchemaProps{ - Description: "policyConfig holds information about where to locate critical pieces of bootstrapping policy", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.PolicyConfig"), - }, - }, - "projectConfig": { - SchemaProps: spec.SchemaProps{ - Description: "projectConfig holds information about project creation and defaults", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ProjectConfig"), - }, - }, - "routingConfig": { - SchemaProps: spec.SchemaProps{ - Description: "routingConfig holds information about routing and route generation", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.RoutingConfig"), - }, - }, - "networkConfig": { - SchemaProps: spec.SchemaProps{ - Description: "networkConfig to be passed to the compiled in network plugin", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.MasterNetworkConfig"), - }, - }, - "volumeConfig": { - SchemaProps: spec.SchemaProps{ - Description: "MasterVolumeConfig contains options for configuring volume plugins in the master node.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.MasterVolumeConfig"), - }, - }, - "jenkinsPipelineConfig": { - SchemaProps: spec.SchemaProps{ - Description: "jenkinsPipelineConfig holds information about the default Jenkins template used for JenkinsPipeline build strategy.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.JenkinsPipelineConfig"), - }, - }, - "auditConfig": { - SchemaProps: spec.SchemaProps{ - Description: "auditConfig holds information related to auditing capabilities.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.AuditConfig"), - }, - }, - }, - Required: []string{"servingInfo", "authConfig", "aggregatorConfig", "corsAllowedOrigins", "apiLevels", "masterPublicURL", "controllers", "admissionConfig", "controllerConfig", "etcdStorageConfig", "etcdClientInfo", "kubeletClientInfo", "kubernetesMasterConfig", "etcdConfig", "oauthConfig", "dnsConfig", "serviceAccountConfig", "masterClients", "imageConfig", "imagePolicyConfig", "policyConfig", "projectConfig", "routingConfig", "networkConfig", "volumeConfig", "jenkinsPipelineConfig", "auditConfig"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.AdmissionConfig", "github.com/openshift/api/legacyconfig/v1.AggregatorConfig", "github.com/openshift/api/legacyconfig/v1.AuditConfig", "github.com/openshift/api/legacyconfig/v1.ControllerConfig", "github.com/openshift/api/legacyconfig/v1.DNSConfig", "github.com/openshift/api/legacyconfig/v1.EtcdConfig", "github.com/openshift/api/legacyconfig/v1.EtcdConnectionInfo", "github.com/openshift/api/legacyconfig/v1.EtcdStorageConfig", "github.com/openshift/api/legacyconfig/v1.HTTPServingInfo", "github.com/openshift/api/legacyconfig/v1.ImageConfig", "github.com/openshift/api/legacyconfig/v1.ImagePolicyConfig", "github.com/openshift/api/legacyconfig/v1.JenkinsPipelineConfig", "github.com/openshift/api/legacyconfig/v1.KubeletConnectionInfo", "github.com/openshift/api/legacyconfig/v1.KubernetesMasterConfig", "github.com/openshift/api/legacyconfig/v1.MasterAuthConfig", "github.com/openshift/api/legacyconfig/v1.MasterClients", "github.com/openshift/api/legacyconfig/v1.MasterNetworkConfig", "github.com/openshift/api/legacyconfig/v1.MasterVolumeConfig", "github.com/openshift/api/legacyconfig/v1.OAuthConfig", "github.com/openshift/api/legacyconfig/v1.PolicyConfig", "github.com/openshift/api/legacyconfig/v1.ProjectConfig", "github.com/openshift/api/legacyconfig/v1.RoutingConfig", "github.com/openshift/api/legacyconfig/v1.ServiceAccountConfig"}, - } -} - -func schema_openshift_api_legacyconfig_v1_MasterNetworkConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "MasterNetworkConfig to be passed to the compiled in network plugin", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "networkPluginName": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "networkPluginName is the name of the network plugin to use", + Description: "certFile is a file containing a PEM-encoded certificate", Default: "", Type: []string{"string"}, Format: "", }, }, - "clusterNetworkCIDR": { - SchemaProps: spec.SchemaProps{ - Description: "clusterNetworkCIDR is the CIDR string to specify the global overlay network's L3 space. Deprecated, but maintained for backwards compatibility, use ClusterNetworks instead.", - Type: []string{"string"}, - Format: "", - }, - }, - "clusterNetworks": { - SchemaProps: spec.SchemaProps{ - Description: "clusterNetworks is a list of ClusterNetwork objects that defines the global overlay network's L3 space by specifying a set of CIDR and netmasks that the SDN can allocate addressed from. If this is specified, then ClusterNetworkCIDR and HostSubnetLength may not be set.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ClusterNetworkEntry"), - }, - }, - }, - }, - }, - "hostSubnetLength": { - SchemaProps: spec.SchemaProps{ - Description: "hostSubnetLength is the number of bits to allocate to each host's subnet e.g. 8 would mean a /24 network on the host. Deprecated, but maintained for backwards compatibility, use ClusterNetworks instead.", - Type: []string{"integer"}, - Format: "int64", - }, - }, - "serviceNetworkCIDR": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "ServiceNetwork is the CIDR string to specify the service networks", + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", Default: "", Type: []string{"string"}, Format: "", }, }, - "externalIPNetworkCIDRs": { - SchemaProps: spec.SchemaProps{ - Description: "externalIPNetworkCIDRs controls what values are acceptable for the service external IP field. If empty, no externalIP may be set. It may contain a list of CIDRs which are checked for access. If a CIDR is prefixed with !, IPs in that CIDR will be rejected. Rejections will be applied first, then the IP checked against one of the allowed CIDRs. You should ensure this range does not overlap with your nodes, pods, or service CIDRs for security reasons.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "ingressIPNetworkCIDR": { + "domainName": { SchemaProps: spec.SchemaProps{ - Description: "ingressIPNetworkCIDR controls the range to assign ingress ips from for services of type LoadBalancer on bare metal. If empty, ingress ips will not be assigned. It may contain a single CIDR that will be allocated from. For security reasons, you should ensure that this range does not overlap with the CIDRs reserved for external ips, nodes, pods, or services.", + Description: "Domain Name is required for keystone v3", Default: "", Type: []string{"string"}, Format: "", }, }, - "vxlanPort": { - SchemaProps: spec.SchemaProps{ - Description: "vxlanPort is the VXLAN port used by the cluster defaults. If it is not set, 4789 is the default value", - Type: []string{"integer"}, - Format: "int64", - }, - }, - }, - Required: []string{"networkPluginName", "clusterNetworks", "serviceNetworkCIDR", "externalIPNetworkCIDRs", "ingressIPNetworkCIDR"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.ClusterNetworkEntry"}, - } -} - -func schema_openshift_api_legacyconfig_v1_MasterVolumeConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "MasterVolumeConfig contains options for configuring volume plugins in the master node.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "dynamicProvisioningEnabled": { + "useKeystoneIdentity": { SchemaProps: spec.SchemaProps{ - Description: "dynamicProvisioningEnabled is a boolean that toggles dynamic provisioning off when false, defaults to true", + Description: "useKeystoneIdentity flag indicates that user should be authenticated by keystone ID, not by username", + Default: false, Type: []string{"boolean"}, Format: "", }, }, }, - Required: []string{"dynamicProvisioningEnabled"}, + Required: []string{"url", "ca", "certFile", "keyFile", "domainName", "useKeystoneIdentity"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_NamedCertificate(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_KubeletConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "NamedCertificate specifies a certificate/key, and the names it should be served for", + Description: "KubeletConnectionInfo holds information necessary for connecting to a kubelet", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "names": { - SchemaProps: spec.SchemaProps{ - Description: "names is a list of DNS names this certificate should be used to secure A name can be a normal DNS name, or can contain leading wildcard segments.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "certFile": { + "port": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "port is the port to connect to kubelets on", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "keyFile": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Description: "ca is the CA for verifying TLS connections to kubelets", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"names", "certFile", "keyFile"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_NodeAuthConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "NodeAuthConfig holds authn/authz configuration options", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "authenticationCacheTTL": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "authenticationCacheTTL indicates how long an authentication result should be cached. It takes a valid time duration string (e.g. \"5m\"). If empty, you get the default timeout. If zero (e.g. \"0m\"), caching is disabled", + Description: "certFile is a file containing a PEM-encoded certificate", Default: "", Type: []string{"string"}, Format: "", }, }, - "authenticationCacheSize": { - SchemaProps: spec.SchemaProps{ - Description: "authenticationCacheSize indicates how many authentication results should be cached. If 0, the default cache size is used.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "authorizationCacheTTL": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "authorizationCacheTTL indicates how long an authorization result should be cached. It takes a valid time duration string (e.g. \"5m\"). If empty, you get the default timeout. If zero (e.g. \"0m\"), caching is disabled", + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", Default: "", Type: []string{"string"}, Format: "", }, }, - "authorizationCacheSize": { - SchemaProps: spec.SchemaProps{ - Description: "authorizationCacheSize indicates how many authorization results should be cached. If 0, the default cache size is used.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, }, - Required: []string{"authenticationCacheTTL", "authenticationCacheSize", "authorizationCacheTTL", "authorizationCacheSize"}, + Required: []string{"port", "ca", "certFile", "keyFile"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_NodeConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_KubernetesMasterConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "NodeConfig is the fully specified config starting an OpenShift node\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "KubernetesMasterConfig holds the necessary configuration options for the Kubernetes master", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "nodeName": { - SchemaProps: spec.SchemaProps{ - Description: "nodeName is the value used to identify this particular node in the cluster. If possible, this should be your fully qualified hostname. If you're describing a set of static nodes to the master, this value must match one of the values in the list", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "nodeIP": { - SchemaProps: spec.SchemaProps{ - Description: "Node may have multiple IPs, specify the IP to use for pod traffic routing If not specified, network parse/lookup on the nodeName is performed and the first non-loopback address is used", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "servingInfo": { - SchemaProps: spec.SchemaProps{ - Description: "servingInfo describes how to start serving", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ServingInfo"), - }, - }, - "masterKubeConfig": { - SchemaProps: spec.SchemaProps{ - Description: "masterKubeConfig is a filename for the .kubeconfig file that describes how to connect this node to the master", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "masterClientConnectionOverrides": { - SchemaProps: spec.SchemaProps{ - Description: "masterClientConnectionOverrides provides overrides to the client connection used to connect to the master.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.ClientConnectionOverrides"), - }, - }, - "dnsDomain": { - SchemaProps: spec.SchemaProps{ - Description: "dnsDomain holds the domain suffix that will be used for the DNS search path inside each container. Defaults to 'cluster.local'.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "dnsIP": { - SchemaProps: spec.SchemaProps{ - Description: "dnsIP is the IP address that pods will use to access cluster DNS. Defaults to the service IP of the Kubernetes master. This IP must be listening on port 53 for compatibility with libc resolvers (which cannot be configured to resolve names from any other port). When running more complex local DNS configurations, this is often set to the local address of a DNS proxy like dnsmasq, which then will consult either the local DNS (see dnsBindAddress) or the master DNS.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "dnsBindAddress": { - SchemaProps: spec.SchemaProps{ - Description: "dnsBindAddress is the ip:port to serve DNS on. If this is not set, the DNS server will not be started. Because most DNS resolvers will only listen on port 53, if you select an alternative port you will need a DNS proxy like dnsmasq to answer queries for containers. A common configuration is dnsmasq configured on a node IP listening on 53 and delegating queries for dnsDomain to this process, while sending other queries to the host environments nameservers.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "dnsNameservers": { + "apiLevels": { SchemaProps: spec.SchemaProps{ - Description: "dnsNameservers is a list of ip:port values of recursive nameservers to forward queries to when running a local DNS server if dnsBindAddress is set. If this value is empty, the DNS server will default to the nameservers listed in /etc/resolv.conf. If you have configured dnsmasq or another DNS proxy on the system, this value should be set to the upstream nameservers dnsmasq resolves with.", + Description: "apiLevels is a list of API levels that should be enabled on startup: v1 as examples", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -31490,74 +32127,110 @@ func schema_openshift_api_legacyconfig_v1_NodeConfig(ref common.ReferenceCallbac }, }, }, - "dnsRecursiveResolvConf": { + "disabledAPIGroupVersions": { SchemaProps: spec.SchemaProps{ - Description: "dnsRecursiveResolvConf is a path to a resolv.conf file that contains settings for an upstream server. Only the nameservers and port fields are used. The file must exist and parse correctly. It adds extra nameservers to DNSNameservers if set.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "disabledAPIGroupVersions is a map of groups to the versions (or *) that should be disabled.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, }, }, - "networkPluginName": { + "masterIP": { SchemaProps: spec.SchemaProps{ - Description: "Deprecated and maintained for backward compatibility, use NetworkConfig.NetworkPluginName instead", + Description: "masterIP is the public IP address of kubernetes stuff. If empty, the first result from net.InterfaceAddrs will be used.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "networkConfig": { + "masterEndpointReconcileTTL": { SchemaProps: spec.SchemaProps{ - Description: "networkConfig provides network options for the node", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.NodeNetworkConfig"), + Description: "masterEndpointReconcileTTL sets the time to live in seconds of an endpoint record recorded by each master. The endpoints are checked at an interval that is 2/3 of this value and this value defaults to 15s if unset. In very large clusters, this value may be increased to reduce the possibility that the master endpoint record expires (due to other load on the etcd server) and causes masters to drop in and out of the kubernetes service record. It is not recommended to set this value below 15s.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "volumeDirectory": { + "servicesSubnet": { SchemaProps: spec.SchemaProps{ - Description: "volumeDirectory is the directory that volumes will be stored under", + Description: "servicesSubnet is the subnet to use for assigning service IPs", Default: "", Type: []string{"string"}, Format: "", }, }, - "imageConfig": { + "servicesNodePortRange": { SchemaProps: spec.SchemaProps{ - Description: "imageConfig holds options that describe how to build image names for system components", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.ImageConfig"), + Description: "servicesNodePortRange is the range to use for assigning service public ports on a host.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "allowDisabledDocker": { + "schedulerConfigFile": { SchemaProps: spec.SchemaProps{ - Description: "allowDisabledDocker if true, the Kubelet will ignore errors from Docker. This means that a node can start on a machine that doesn't have docker started.", - Default: false, - Type: []string{"boolean"}, + Description: "schedulerConfigFile points to a file that describes how to set up the scheduler. If empty, you get the default scheduling rules.", + Default: "", + Type: []string{"string"}, Format: "", }, }, - "podManifestConfig": { + "podEvictionTimeout": { SchemaProps: spec.SchemaProps{ - Description: "podManifestConfig holds the configuration for enabling the Kubelet to create pods based from a manifest file(s) placed locally on the node", - Ref: ref("github.com/openshift/api/legacyconfig/v1.PodManifestConfig"), + Description: "podEvictionTimeout controls grace period for deleting pods on failed nodes. It takes valid time duration string. If empty, you get the default pod eviction timeout.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "authConfig": { + "proxyClientInfo": { SchemaProps: spec.SchemaProps{ - Description: "authConfig holds authn/authz configuration options", + Description: "proxyClientInfo specifies the client cert/key to use when proxying to pods", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.NodeAuthConfig"), + Ref: ref("github.com/openshift/api/legacyconfig/v1.CertInfo"), }, }, - "dockerConfig": { + "apiServerArguments": { SchemaProps: spec.SchemaProps{ - Description: "dockerConfig holds Docker related configuration options.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.DockerConfig"), + Description: "apiServerArguments are key value pairs that will be passed directly to the Kube apiserver that match the apiservers's command line arguments. These are not migrated, but if you reference a value that does not exist the server will not start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, }, }, - "kubeletArguments": { + "controllerArguments": { SchemaProps: spec.SchemaProps{ - Description: "kubeletArguments are key value pairs that will be passed directly to the Kubelet that match the Kubelet's command line arguments. These are not migrated or validated, so if you use them they may become invalid. These values override other settings in NodeConfig which may cause invalid configurations.", + Description: "controllerArguments are key value pairs that will be passed directly to the Kube controller manager that match the controller manager's command line arguments. These are not migrated, but if you reference a value that does not exist the server will not start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations.", Type: []string{"object"}, AdditionalProperties: &spec.SchemaOrBool{ Allows: true, @@ -31578,9 +32251,9 @@ func schema_openshift_api_legacyconfig_v1_NodeConfig(ref common.ReferenceCallbac }, }, }, - "proxyArguments": { + "schedulerArguments": { SchemaProps: spec.SchemaProps{ - Description: "proxyArguments are key value pairs that will be passed directly to the Proxy that match the Proxy's command line arguments. These are not migrated or validated, so if you use them they may become invalid. These values override other settings in NodeConfig which may cause invalid configurations.", + Description: "schedulerArguments are key value pairs that will be passed directly to the Kube scheduler that match the scheduler's command line arguments. These are not migrated, but if you reference a value that does not exist the server will not start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations.", Type: []string{"object"}, AdditionalProperties: &spec.SchemaOrBool{ Allows: true, @@ -31601,302 +32274,429 @@ func schema_openshift_api_legacyconfig_v1_NodeConfig(ref common.ReferenceCallbac }, }, }, - "iptablesSyncPeriod": { + }, + Required: []string{"apiLevels", "disabledAPIGroupVersions", "masterIP", "masterEndpointReconcileTTL", "servicesSubnet", "servicesNodePortRange", "schedulerConfigFile", "podEvictionTimeout", "proxyClientInfo", "apiServerArguments", "controllerArguments", "schedulerArguments"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.CertInfo"}, + } +} + +func schema_openshift_api_legacyconfig_v1_LDAPAttributeMapping(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "LDAPAttributeMapping maps LDAP attributes to OpenShift identity fields", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "id": { SchemaProps: spec.SchemaProps{ - Description: "iptablesSyncPeriod is how often iptable rules are refreshed", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "id is the list of attributes whose values should be used as the user ID. Required. LDAP standard identity attribute is \"dn\"", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "enableUnidling": { + "preferredUsername": { SchemaProps: spec.SchemaProps{ - Description: "enableUnidling controls whether or not the hybrid unidling proxy will be set up", - Type: []string{"boolean"}, - Format: "", + Description: "preferredUsername is the list of attributes whose values should be used as the preferred username. LDAP standard login attribute is \"uid\"", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "volumeConfig": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "volumeConfig contains options for configuring volumes on the node.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.NodeVolumeConfig"), + Description: "name is the list of attributes whose values should be used as the display name. Optional. If unspecified, no display name is set for the identity LDAP standard display name attribute is \"cn\"", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "email": { + SchemaProps: spec.SchemaProps{ + Description: "email is the list of attributes whose values should be used as the email address. Optional. If unspecified, no email is set for the identity", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, - Required: []string{"nodeName", "nodeIP", "servingInfo", "masterKubeConfig", "masterClientConnectionOverrides", "dnsDomain", "dnsIP", "dnsBindAddress", "dnsNameservers", "dnsRecursiveResolvConf", "networkConfig", "volumeDirectory", "imageConfig", "allowDisabledDocker", "podManifestConfig", "authConfig", "dockerConfig", "iptablesSyncPeriod", "enableUnidling", "volumeConfig"}, + Required: []string{"id", "preferredUsername", "name", "email"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.ClientConnectionOverrides", "github.com/openshift/api/legacyconfig/v1.DockerConfig", "github.com/openshift/api/legacyconfig/v1.ImageConfig", "github.com/openshift/api/legacyconfig/v1.NodeAuthConfig", "github.com/openshift/api/legacyconfig/v1.NodeNetworkConfig", "github.com/openshift/api/legacyconfig/v1.NodeVolumeConfig", "github.com/openshift/api/legacyconfig/v1.PodManifestConfig", "github.com/openshift/api/legacyconfig/v1.ServingInfo"}, } } -func schema_openshift_api_legacyconfig_v1_NodeNetworkConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_LDAPPasswordIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "NodeNetworkConfig provides network options for the node", + Description: "LDAPPasswordIdentityProvider provides identities for users authenticating using LDAP credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "networkPluginName": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "networkPluginName is a string specifying the networking plugin", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "url": { + SchemaProps: spec.SchemaProps{ + Description: "url is an RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is\n ldap://host:port/basedn?attribute?scope?filter", Default: "", Type: []string{"string"}, Format: "", }, }, - "mtu": { + "bindDN": { SchemaProps: spec.SchemaProps{ - Description: "Maximum transmission unit for the network packets", - Default: 0, - Type: []string{"integer"}, - Format: "int64", + Description: "bindDN is an optional DN to bind with during the search phase.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "bindPassword": { + SchemaProps: spec.SchemaProps{ + Description: "bindPassword is an optional password to bind with during the search phase.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), + }, + }, + "insecure": { + SchemaProps: spec.SchemaProps{ + Description: "Insecure, if true, indicates the connection should not use TLS. Cannot be set to true with a URL scheme of \"ldaps://\" If false, \"ldaps://\" URLs connect using TLS, and \"ldap://\" URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830", + Default: false, + Type: []string{"boolean"}, + Format: "", + }, + }, + "ca": { + SchemaProps: spec.SchemaProps{ + Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "attributes": { + SchemaProps: spec.SchemaProps{ + Description: "attributes maps LDAP attributes to identities", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPAttributeMapping"), }, }, }, - Required: []string{"networkPluginName", "mtu"}, + Required: []string{"url", "bindDN", "bindPassword", "insecure", "ca", "attributes"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.LDAPAttributeMapping", "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_NodeVolumeConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_LDAPQuery(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "NodeVolumeConfig contains options for configuring volumes on the node.", + Description: "LDAPQuery holds the options necessary to build an LDAP query", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "localQuota": { + "baseDN": { SchemaProps: spec.SchemaProps{ - Description: "localQuota contains options for controlling local volume quota on the node.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.LocalQuota"), + Description: "The DN of the branch of the directory where all searches should start from", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "scope": { + SchemaProps: spec.SchemaProps{ + Description: "The (optional) scope of the search. Can be: base: only the base object, one: all object on the base level, sub: the entire subtree Defaults to the entire subtree if not set", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "derefAliases": { + SchemaProps: spec.SchemaProps{ + Description: "The (optional) behavior of the search with regards to alisases. Can be: never: never dereference aliases, search: only dereference in searching, base: only dereference in finding the base object, always: always dereference Defaults to always dereferencing if not set", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "timeout": { + SchemaProps: spec.SchemaProps{ + Description: "TimeLimit holds the limit of time in seconds that any request to the server can remain outstanding before the wait for a response is given up. If this is 0, no client-side limit is imposed", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "filter": { + SchemaProps: spec.SchemaProps{ + Description: "filter is a valid LDAP search filter that retrieves all relevant entries from the LDAP server with the base DN", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "pageSize": { + SchemaProps: spec.SchemaProps{ + Description: "pageSize is the maximum preferred page size, measured in LDAP entries. A page size of 0 means no paging will be done.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, }, - Required: []string{"localQuota"}, + Required: []string{"baseDN", "scope", "derefAliases", "timeout", "filter", "pageSize"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.LocalQuota"}, } } -func schema_openshift_api_legacyconfig_v1_OAuthConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_LDAPSyncConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OAuthConfig holds the necessary configuration options for OAuth authentication", + Description: "LDAPSyncConfig holds the necessary configuration options to define an LDAP group sync\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "masterCA": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "masterCA is the CA for verifying the TLS connection back to the MasterURL.", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "masterURL": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "masterURL is used for making server-to-server calls to exchange authorization codes for access tokens", - Default: "", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - "masterPublicURL": { + "url": { SchemaProps: spec.SchemaProps{ - Description: "masterPublicURL is used for building valid client redirect URLs for internal and external access", + Description: "Host is the scheme, host and port of the LDAP server to connect to: scheme://host:port", Default: "", Type: []string{"string"}, Format: "", }, }, - "assetPublicURL": { + "bindDN": { SchemaProps: spec.SchemaProps{ - Description: "assetPublicURL is used for building valid client redirect URLs for external access", + Description: "bindDN is an optional DN to bind to the LDAP server with", Default: "", Type: []string{"string"}, Format: "", }, }, - "alwaysShowProviderSelection": { + "bindPassword": { SchemaProps: spec.SchemaProps{ - Description: "alwaysShowProviderSelection will force the provider selection page to render even when there is only a single provider.", + Description: "bindPassword is an optional password to bind with during the search phase.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), + }, + }, + "insecure": { + SchemaProps: spec.SchemaProps{ + Description: "Insecure, if true, indicates the connection should not use TLS. Cannot be set to true with a URL scheme of \"ldaps://\" If false, \"ldaps://\" URLs connect using TLS, and \"ldap://\" URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830", Default: false, Type: []string{"boolean"}, Format: "", }, }, - "identityProviders": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "identityProviders is an ordered list of ways for a user to identify themselves", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ + Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "groupUIDNameMapping": { + SchemaProps: spec.SchemaProps{ + Description: "LDAPGroupUIDToOpenShiftGroupNameMapping is an optional direct mapping of LDAP group UIDs to OpenShift Group names", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.IdentityProvider"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "grantConfig": { - SchemaProps: spec.SchemaProps{ - Description: "grantConfig describes how to handle grants", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.GrantConfig"), - }, - }, - "sessionConfig": { + "rfc2307": { SchemaProps: spec.SchemaProps{ - Description: "sessionConfig hold information about configuring sessions.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.SessionConfig"), + Description: "RFC2307Config holds the configuration for extracting data from an LDAP server set up in a fashion similar to RFC2307: first-class group and user entries, with group membership determined by a multi-valued attribute on the group entry listing its members", + Ref: ref("github.com/openshift/api/legacyconfig/v1.RFC2307Config"), }, }, - "tokenConfig": { + "activeDirectory": { SchemaProps: spec.SchemaProps{ - Description: "tokenConfig contains options for authorization and access tokens", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.TokenConfig"), + Description: "ActiveDirectoryConfig holds the configuration for extracting data from an LDAP server set up in a fashion similar to that used in Active Directory: first-class user entries, with group membership determined by a multi-valued attribute on members listing groups they are a member of", + Ref: ref("github.com/openshift/api/legacyconfig/v1.ActiveDirectoryConfig"), }, }, - "templates": { + "augmentedActiveDirectory": { SchemaProps: spec.SchemaProps{ - Description: "templates allow you to customize pages like the login page.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.OAuthTemplates"), + Description: "AugmentedActiveDirectoryConfig holds the configuration for extracting data from an LDAP server set up in a fashion similar to that used in Active Directory as described above, with one addition: first-class group entries exist and are used to hold metadata but not group membership", + Ref: ref("github.com/openshift/api/legacyconfig/v1.AugmentedActiveDirectoryConfig"), }, }, }, - Required: []string{"masterCA", "masterURL", "masterPublicURL", "assetPublicURL", "alwaysShowProviderSelection", "identityProviders", "grantConfig", "sessionConfig", "tokenConfig", "templates"}, + Required: []string{"url", "bindDN", "bindPassword", "insecure", "ca", "groupUIDNameMapping"}, }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.GrantConfig", "github.com/openshift/api/legacyconfig/v1.IdentityProvider", "github.com/openshift/api/legacyconfig/v1.OAuthTemplates", "github.com/openshift/api/legacyconfig/v1.SessionConfig", "github.com/openshift/api/legacyconfig/v1.TokenConfig"}, + "github.com/openshift/api/legacyconfig/v1.ActiveDirectoryConfig", "github.com/openshift/api/legacyconfig/v1.AugmentedActiveDirectoryConfig", "github.com/openshift/api/legacyconfig/v1.RFC2307Config", "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_OAuthTemplates(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_LocalQuota(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OAuthTemplates allow for customization of pages like the login page", + Description: "LocalQuota contains options for controlling local volume quota on the node.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "login": { - SchemaProps: spec.SchemaProps{ - Description: "login is a path to a file containing a go template used to render the login page. If unspecified, the default login page is used.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "providerSelection": { - SchemaProps: spec.SchemaProps{ - Description: "providerSelection is a path to a file containing a go template used to render the provider selection page. If unspecified, the default provider selection page is used.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "error": { + "perFSGroup": { SchemaProps: spec.SchemaProps{ - Description: "error is a path to a file containing a go template used to render error pages during the authentication or grant flow If unspecified, the default error page is used.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "FSGroup can be specified to enable a quota on local storage use per unique FSGroup ID. At present this is only implemented for emptyDir volumes, and if the underlying volumeDirectory is on an XFS filesystem.", + Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), }, }, }, - Required: []string{"login", "providerSelection", "error"}, + Required: []string{"perFSGroup"}, }, }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/api/resource.Quantity"}, } } -func schema_openshift_api_legacyconfig_v1_OpenIDClaims(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_MasterAuthConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OpenIDClaims contains a list of OpenID claims to use when authenticating with an OpenID identity provider", + Description: "MasterAuthConfig configures authentication options in addition to the standard oauth token and client certificate authenticators", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "id": { + "requestHeader": { SchemaProps: spec.SchemaProps{ - Description: "id is the list of claims whose values should be used as the user ID. Required. OpenID standard identity claim is \"sub\"", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "requestHeader holds options for setting up a front proxy against the API. It is optional.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.RequestHeaderAuthenticationOptions"), }, }, - "preferredUsername": { + "webhookTokenAuthenticators": { SchemaProps: spec.SchemaProps{ - Description: "preferredUsername is the list of claims whose values should be used as the preferred username. If unspecified, the preferred username is determined from the value of the id claim", + Description: "WebhookTokenAuthnConfig, if present configures remote token reviewers", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.WebhookTokenAuthenticator"), }, }, }, }, }, - "name": { + "oauthMetadataFile": { SchemaProps: spec.SchemaProps{ - Description: "name is the list of claims whose values should be used as the display name. Optional. If unspecified, no display name is set for the identity", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "oauthMetadataFile is a path to a file containing the discovery endpoint for OAuth 2.0 Authorization Server Metadata for an external OAuth server. See IETF Draft: // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 This option is mutually exclusive with OAuthConfig", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "email": { + }, + Required: []string{"requestHeader", "webhookTokenAuthenticators", "oauthMetadataFile"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.RequestHeaderAuthenticationOptions", "github.com/openshift/api/legacyconfig/v1.WebhookTokenAuthenticator"}, + } +} + +func schema_openshift_api_legacyconfig_v1_MasterClients(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "MasterClients holds references to `.kubeconfig` files that qualify master clients for OpenShift and Kubernetes", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "openshiftLoopbackKubeConfig": { SchemaProps: spec.SchemaProps{ - Description: "email is the list of claims whose values should be used as the email address. Optional. If unspecified, no email is set for the identity", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "openshiftLoopbackKubeConfig is a .kubeconfig filename for system components to loopback to this master", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "openshiftLoopbackClientConnectionOverrides": { + SchemaProps: spec.SchemaProps{ + Description: "openshiftLoopbackClientConnectionOverrides specifies client overrides for system components to loop back to this master.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.ClientConnectionOverrides"), }, }, }, - Required: []string{"id", "preferredUsername", "name", "email"}, + Required: []string{"openshiftLoopbackKubeConfig", "openshiftLoopbackClientConnectionOverrides"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.ClientConnectionOverrides"}, } } -func schema_openshift_api_legacyconfig_v1_OpenIDIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_MasterConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OpenIDIdentityProvider provides identities for users authenticating using OpenID credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "MasterConfig holds the necessary configuration options for the OpenShift master\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -31913,31 +32713,30 @@ func schema_openshift_api_legacyconfig_v1_OpenIDIdentityProvider(ref common.Refe Format: "", }, }, - "ca": { + "servingInfo": { SchemaProps: spec.SchemaProps{ - Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "servingInfo describes how to start serving", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.HTTPServingInfo"), }, }, - "clientID": { + "authConfig": { SchemaProps: spec.SchemaProps{ - Description: "clientID is the oauth client ID", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "authConfig configures authentication options in addition to the standard oauth token and client certificate authenticators", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.MasterAuthConfig"), }, }, - "clientSecret": { + "aggregatorConfig": { SchemaProps: spec.SchemaProps{ - Description: "clientSecret is the oauth client secret", - Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), + Description: "aggregatorConfig has options for configuring the aggregator component of the API server.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.AggregatorConfig"), }, }, - "extraScopes": { + "corsAllowedOrigins": { SchemaProps: spec.SchemaProps{ - Description: "extraScopes are any scopes to request in addition to the standard \"openid\" scope.", + Description: "CORSAllowedOrigins", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -31950,12 +32749,11 @@ func schema_openshift_api_legacyconfig_v1_OpenIDIdentityProvider(ref common.Refe }, }, }, - "extraAuthorizeParameters": { + "apiLevels": { SchemaProps: spec.SchemaProps{ - Description: "extraAuthorizeParameters are any custom parameters to add to the authorize request.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, + Description: "apiLevels is a list of API levels that should be enabled on startup: v1 as examples", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: "", @@ -31966,206 +32764,222 @@ func schema_openshift_api_legacyconfig_v1_OpenIDIdentityProvider(ref common.Refe }, }, }, - "urls": { + "masterPublicURL": { SchemaProps: spec.SchemaProps{ - Description: "urls to use to authenticate", + Description: "masterPublicURL is how clients can access the OpenShift API server", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "controllers": { + SchemaProps: spec.SchemaProps{ + Description: "controllers is a list of the controllers that should be started. If set to \"none\", no controllers will start automatically. The default value is \"*\" which will start all controllers. When using \"*\", you may exclude controllers by prepending a \"-\" in front of their name. No other values are recognized at this time.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "admissionConfig": { + SchemaProps: spec.SchemaProps{ + Description: "admissionConfig contains admission control plugin configuration.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.OpenIDURLs"), + Ref: ref("github.com/openshift/api/legacyconfig/v1.AdmissionConfig"), }, }, - "claims": { + "controllerConfig": { SchemaProps: spec.SchemaProps{ - Description: "claims mappings", + Description: "controllerConfig holds configuration values for controllers", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.OpenIDClaims"), + Ref: ref("github.com/openshift/api/legacyconfig/v1.ControllerConfig"), }, }, - }, - Required: []string{"ca", "clientID", "clientSecret", "extraScopes", "extraAuthorizeParameters", "urls", "claims"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.OpenIDClaims", "github.com/openshift/api/legacyconfig/v1.OpenIDURLs", "github.com/openshift/api/legacyconfig/v1.StringSource"}, - } -} - -func schema_openshift_api_legacyconfig_v1_OpenIDURLs(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "OpenIDURLs are URLs to use when authenticating with an OpenID identity provider", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "authorize": { + "etcdStorageConfig": { SchemaProps: spec.SchemaProps{ - Description: "authorize is the oauth authorization URL", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "etcdStorageConfig contains information about how API resources are stored in Etcd. These values are only relevant when etcd is the backing store for the cluster.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.EtcdStorageConfig"), }, }, - "token": { + "etcdClientInfo": { SchemaProps: spec.SchemaProps{ - Description: "token is the oauth token granting URL", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "etcdClientInfo contains information about how to connect to etcd", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.EtcdConnectionInfo"), }, }, - "userInfo": { + "kubeletClientInfo": { SchemaProps: spec.SchemaProps{ - Description: "userInfo is the optional userinfo URL. If present, a granted access_token is used to request claims If empty, a granted id_token is parsed for claims", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "kubeletClientInfo contains information about how to connect to kubelets", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.KubeletConnectionInfo"), }, }, - }, - Required: []string{"authorize", "token", "userInfo"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_PodManifestConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PodManifestConfig holds the necessary configuration options for using pod manifests", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "path": { + "kubernetesMasterConfig": { SchemaProps: spec.SchemaProps{ - Description: "path specifies the path for the pod manifest file or directory If its a directory, its expected to contain on or more manifest files This is used by the Kubelet to create pods on the node", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "KubernetesMasterConfig, if present start the kubernetes master in this process", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.KubernetesMasterConfig"), }, }, - "fileCheckIntervalSeconds": { + "etcdConfig": { SchemaProps: spec.SchemaProps{ - Description: "fileCheckIntervalSeconds is the interval in seconds for checking the manifest file(s) for new data The interval needs to be a positive value", - Default: 0, - Type: []string{"integer"}, - Format: "int64", + Description: "EtcdConfig, if present start etcd in this process", + Ref: ref("github.com/openshift/api/legacyconfig/v1.EtcdConfig"), }, }, - }, - Required: []string{"path", "fileCheckIntervalSeconds"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_PolicyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "holds the necessary configuration options for", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "userAgentMatchingConfig": { + "oauthConfig": { SchemaProps: spec.SchemaProps{ - Description: "userAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!", + Description: "OAuthConfig, if present start the /oauth endpoint in this process", + Ref: ref("github.com/openshift/api/legacyconfig/v1.OAuthConfig"), + }, + }, + "dnsConfig": { + SchemaProps: spec.SchemaProps{ + Description: "DNSConfig, if present start the DNS server in this process", + Ref: ref("github.com/openshift/api/legacyconfig/v1.DNSConfig"), + }, + }, + "serviceAccountConfig": { + SchemaProps: spec.SchemaProps{ + Description: "serviceAccountConfig holds options related to service accounts", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.UserAgentMatchingConfig"), + Ref: ref("github.com/openshift/api/legacyconfig/v1.ServiceAccountConfig"), }, }, - }, - Required: []string{"userAgentMatchingConfig"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.UserAgentMatchingConfig"}, - } -} - -func schema_openshift_api_legacyconfig_v1_ProjectConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "holds the necessary configuration options for", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "defaultNodeSelector": { + "masterClients": { SchemaProps: spec.SchemaProps{ - Description: "defaultNodeSelector holds default project node label selector", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "masterClients holds all the client connection information for controllers and other system components", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.MasterClients"), }, }, - "projectRequestMessage": { + "imageConfig": { SchemaProps: spec.SchemaProps{ - Description: "projectRequestMessage is the string presented to a user if they are unable to request a project via the projectrequest api endpoint", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "imageConfig holds options that describe how to build image names for system components", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.ImageConfig"), }, }, - "projectRequestTemplate": { + "imagePolicyConfig": { SchemaProps: spec.SchemaProps{ - Description: "projectRequestTemplate is the template to use for creating projects in response to projectrequest. It is in the format namespace/template and it is optional. If it is not specified, a default template is used.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "imagePolicyConfig controls limits and behavior for importing images", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.ImagePolicyConfig"), }, }, - "securityAllocator": { + "policyConfig": { SchemaProps: spec.SchemaProps{ - Description: "securityAllocator controls the automatic allocation of UIDs and MCS labels to a project. If nil, allocation is disabled.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.SecurityAllocator"), + Description: "policyConfig holds information about where to locate critical pieces of bootstrapping policy", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.PolicyConfig"), + }, + }, + "projectConfig": { + SchemaProps: spec.SchemaProps{ + Description: "projectConfig holds information about project creation and defaults", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.ProjectConfig"), + }, + }, + "routingConfig": { + SchemaProps: spec.SchemaProps{ + Description: "routingConfig holds information about routing and route generation", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.RoutingConfig"), + }, + }, + "networkConfig": { + SchemaProps: spec.SchemaProps{ + Description: "networkConfig to be passed to the compiled in network plugin", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.MasterNetworkConfig"), + }, + }, + "volumeConfig": { + SchemaProps: spec.SchemaProps{ + Description: "MasterVolumeConfig contains options for configuring volume plugins in the master node.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.MasterVolumeConfig"), + }, + }, + "jenkinsPipelineConfig": { + SchemaProps: spec.SchemaProps{ + Description: "jenkinsPipelineConfig holds information about the default Jenkins template used for JenkinsPipeline build strategy.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.JenkinsPipelineConfig"), + }, + }, + "auditConfig": { + SchemaProps: spec.SchemaProps{ + Description: "auditConfig holds information related to auditing capabilities.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.AuditConfig"), }, }, }, - Required: []string{"defaultNodeSelector", "projectRequestMessage", "projectRequestTemplate", "securityAllocator"}, + Required: []string{"servingInfo", "authConfig", "aggregatorConfig", "corsAllowedOrigins", "apiLevels", "masterPublicURL", "controllers", "admissionConfig", "controllerConfig", "etcdStorageConfig", "etcdClientInfo", "kubeletClientInfo", "kubernetesMasterConfig", "etcdConfig", "oauthConfig", "dnsConfig", "serviceAccountConfig", "masterClients", "imageConfig", "imagePolicyConfig", "policyConfig", "projectConfig", "routingConfig", "networkConfig", "volumeConfig", "jenkinsPipelineConfig", "auditConfig"}, }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.SecurityAllocator"}, + "github.com/openshift/api/legacyconfig/v1.AdmissionConfig", "github.com/openshift/api/legacyconfig/v1.AggregatorConfig", "github.com/openshift/api/legacyconfig/v1.AuditConfig", "github.com/openshift/api/legacyconfig/v1.ControllerConfig", "github.com/openshift/api/legacyconfig/v1.DNSConfig", "github.com/openshift/api/legacyconfig/v1.EtcdConfig", "github.com/openshift/api/legacyconfig/v1.EtcdConnectionInfo", "github.com/openshift/api/legacyconfig/v1.EtcdStorageConfig", "github.com/openshift/api/legacyconfig/v1.HTTPServingInfo", "github.com/openshift/api/legacyconfig/v1.ImageConfig", "github.com/openshift/api/legacyconfig/v1.ImagePolicyConfig", "github.com/openshift/api/legacyconfig/v1.JenkinsPipelineConfig", "github.com/openshift/api/legacyconfig/v1.KubeletConnectionInfo", "github.com/openshift/api/legacyconfig/v1.KubernetesMasterConfig", "github.com/openshift/api/legacyconfig/v1.MasterAuthConfig", "github.com/openshift/api/legacyconfig/v1.MasterClients", "github.com/openshift/api/legacyconfig/v1.MasterNetworkConfig", "github.com/openshift/api/legacyconfig/v1.MasterVolumeConfig", "github.com/openshift/api/legacyconfig/v1.OAuthConfig", "github.com/openshift/api/legacyconfig/v1.PolicyConfig", "github.com/openshift/api/legacyconfig/v1.ProjectConfig", "github.com/openshift/api/legacyconfig/v1.RoutingConfig", "github.com/openshift/api/legacyconfig/v1.ServiceAccountConfig"}, } } -func schema_openshift_api_legacyconfig_v1_RFC2307Config(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_MasterNetworkConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "RFC2307Config holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the RFC2307 schema", + Description: "MasterNetworkConfig to be passed to the compiled in network plugin", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "groupsQuery": { + "networkPluginName": { SchemaProps: spec.SchemaProps{ - Description: "AllGroupsQuery holds the template for an LDAP query that returns group entries.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), + Description: "networkPluginName is the name of the network plugin to use", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "groupUIDAttribute": { + "clusterNetworkCIDR": { SchemaProps: spec.SchemaProps{ - Description: "GroupUIDAttributes defines which attribute on an LDAP group entry will be interpreted as its unique identifier. (ldapGroupUID)", - Default: "", + Description: "clusterNetworkCIDR is the CIDR string to specify the global overlay network's L3 space. Deprecated, but maintained for backwards compatibility, use ClusterNetworks instead.", Type: []string{"string"}, Format: "", }, }, - "groupNameAttributes": { + "clusterNetworks": { SchemaProps: spec.SchemaProps{ - Description: "groupNameAttributes defines which attributes on an LDAP group entry will be interpreted as its name to use for an OpenShift group", + Description: "clusterNetworks is a list of ClusterNetwork objects that defines the global overlay network's L3 space by specifying a set of CIDR and netmasks that the SDN can allocate addressed from. If this is specified, then ClusterNetworkCIDR and HostSubnetLength may not be set.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.ClusterNetworkEntry"), }, }, }, }, }, - "groupMembershipAttributes": { + "hostSubnetLength": { SchemaProps: spec.SchemaProps{ - Description: "groupMembershipAttributes defines which attributes on an LDAP group entry will be interpreted as its members. The values contained in those attributes must be queryable by your UserUIDAttribute", + Description: "hostSubnetLength is the number of bits to allocate to each host's subnet e.g. 8 would mean a /24 network on the host. Deprecated, but maintained for backwards compatibility, use ClusterNetworks instead.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "serviceNetworkCIDR": { + SchemaProps: spec.SchemaProps{ + Description: "ServiceNetwork is the CIDR string to specify the service networks", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "externalIPNetworkCIDRs": { + SchemaProps: spec.SchemaProps{ + Description: "externalIPNetworkCIDRs controls what values are acceptable for the service external IP field. If empty, no externalIP may be set. It may contain a list of CIDRs which are checked for access. If a CIDR is prefixed with !, IPs in that CIDR will be rejected. Rejections will be applied first, then the IP checked against one of the allowed CIDRs. You should ensure this range does not overlap with your nodes, pods, or service CIDRs for security reasons.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -32178,24 +32992,61 @@ func schema_openshift_api_legacyconfig_v1_RFC2307Config(ref common.ReferenceCall }, }, }, - "usersQuery": { + "ingressIPNetworkCIDR": { SchemaProps: spec.SchemaProps{ - Description: "AllUsersQuery holds the template for an LDAP query that returns user entries.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), + Description: "ingressIPNetworkCIDR controls the range to assign ingress ips from for services of type LoadBalancer on bare metal. If empty, ingress ips will not be assigned. It may contain a single CIDR that will be allocated from. For security reasons, you should ensure that this range does not overlap with the CIDRs reserved for external ips, nodes, pods, or services.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "userUIDAttribute": { + "vxlanPort": { SchemaProps: spec.SchemaProps{ - Description: "userUIDAttribute defines which attribute on an LDAP user entry will be interpreted as its unique identifier. It must correspond to values that will be found from the GroupMembershipAttributes", - Default: "", - Type: []string{"string"}, + Description: "vxlanPort is the VXLAN port used by the cluster defaults. If it is not set, 4789 is the default value", + Type: []string{"integer"}, + Format: "int64", + }, + }, + }, + Required: []string{"networkPluginName", "clusterNetworks", "serviceNetworkCIDR", "externalIPNetworkCIDRs", "ingressIPNetworkCIDR"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.ClusterNetworkEntry"}, + } +} + +func schema_openshift_api_legacyconfig_v1_MasterVolumeConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "MasterVolumeConfig contains options for configuring volume plugins in the master node.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "dynamicProvisioningEnabled": { + SchemaProps: spec.SchemaProps{ + Description: "dynamicProvisioningEnabled is a boolean that toggles dynamic provisioning off when false, defaults to true", + Type: []string{"boolean"}, Format: "", }, }, - "userNameAttributes": { + }, + Required: []string{"dynamicProvisioningEnabled"}, + }, + }, + } +} + +func schema_openshift_api_legacyconfig_v1_NamedCertificate(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NamedCertificate specifies a certificate/key, and the names it should be served for", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "names": { SchemaProps: spec.SchemaProps{ - Description: "userNameAttributes defines which attributes on an LDAP user entry will be used, in order, as its OpenShift user name. The first attribute with a non-empty value is used. This should match your PreferredUsername setting for your LDAPPasswordIdentityProvider", + Description: "names is a list of DNS names this certificate should be used to secure A name can be a normal DNS name, or can contain leading wildcard segments.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -32208,169 +33059,160 @@ func schema_openshift_api_legacyconfig_v1_RFC2307Config(ref common.ReferenceCall }, }, }, - "tolerateMemberNotFoundErrors": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "tolerateMemberNotFoundErrors determines the behavior of the LDAP sync job when missing user entries are encountered. If 'true', an LDAP query for users that doesn't find any will be tolerated and an only and error will be logged. If 'false', the LDAP sync job will fail if a query for users doesn't find any. The default value is 'false'. Misconfigured LDAP sync jobs with this flag set to 'true' can cause group membership to be removed, so it is recommended to use this flag with caution.", - Default: false, - Type: []string{"boolean"}, + Description: "certFile is a file containing a PEM-encoded certificate", + Default: "", + Type: []string{"string"}, Format: "", }, }, - "tolerateMemberOutOfScopeErrors": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "tolerateMemberOutOfScopeErrors determines the behavior of the LDAP sync job when out-of-scope user entries are encountered. If 'true', an LDAP query for a user that falls outside of the base DN given for the all user query will be tolerated and only an error will be logged. If 'false', the LDAP sync job will fail if a user query would search outside of the base DN specified by the all user query. Misconfigured LDAP sync jobs with this flag set to 'true' can result in groups missing users, so it is recommended to use this flag with caution.", - Default: false, - Type: []string{"boolean"}, + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Default: "", + Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"groupsQuery", "groupUIDAttribute", "groupNameAttributes", "groupMembershipAttributes", "usersQuery", "userUIDAttribute", "userNameAttributes", "tolerateMemberNotFoundErrors", "tolerateMemberOutOfScopeErrors"}, + Required: []string{"names", "certFile", "keyFile"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.LDAPQuery"}, } } -func schema_openshift_api_legacyconfig_v1_RegistryLocation(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_NodeAuthConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "RegistryLocation contains a location of the registry specified by the registry domain name. The domain name might include wildcards, like '*' or '??'.", + Description: "NodeAuthConfig holds authn/authz configuration options", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "domainName": { + "authenticationCacheTTL": { SchemaProps: spec.SchemaProps{ - Description: "domainName specifies a domain name for the registry In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well.", + Description: "authenticationCacheTTL indicates how long an authentication result should be cached. It takes a valid time duration string (e.g. \"5m\"). If empty, you get the default timeout. If zero (e.g. \"0m\"), caching is disabled", Default: "", Type: []string{"string"}, Format: "", }, }, - "insecure": { + "authenticationCacheSize": { SchemaProps: spec.SchemaProps{ - Description: "insecure indicates whether the registry is secure (https) or insecure (http) By default (if not specified) the registry is assumed as secure.", - Type: []string{"boolean"}, + Description: "authenticationCacheSize indicates how many authentication results should be cached. If 0, the default cache size is used.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "authorizationCacheTTL": { + SchemaProps: spec.SchemaProps{ + Description: "authorizationCacheTTL indicates how long an authorization result should be cached. It takes a valid time duration string (e.g. \"5m\"). If empty, you get the default timeout. If zero (e.g. \"0m\"), caching is disabled", + Default: "", + Type: []string{"string"}, Format: "", }, }, + "authorizationCacheSize": { + SchemaProps: spec.SchemaProps{ + Description: "authorizationCacheSize indicates how many authorization results should be cached. If 0, the default cache size is used.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, }, - Required: []string{"domainName"}, + Required: []string{"authenticationCacheTTL", "authenticationCacheSize", "authorizationCacheTTL", "authorizationCacheSize"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_RemoteConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_NodeConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "RemoteConnectionInfo holds information necessary for establishing a remote connection", + Description: "NodeConfig is the fully specified config starting an OpenShift node\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "url": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "url is the remote URL to connect to", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "ca": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "ca is the CA for verifying TLS connections", - Default: "", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - "certFile": { + "nodeName": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", + Description: "nodeName is the value used to identify this particular node in the cluster. If possible, this should be your fully qualified hostname. If you're describing a set of static nodes to the master, this value must match one of the values in the list", Default: "", Type: []string{"string"}, Format: "", }, }, - "keyFile": { + "nodeIP": { SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Description: "Node may have multiple IPs, specify the IP to use for pod traffic routing If not specified, network parse/lookup on the nodeName is performed and the first non-loopback address is used", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"url", "ca", "certFile", "keyFile"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_RequestHeaderAuthenticationOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "RequestHeaderAuthenticationOptions provides options for setting up a front proxy against the entire API instead of against the /oauth endpoint.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "clientCA": { + "servingInfo": { SchemaProps: spec.SchemaProps{ - Description: "clientCA is a file with the trusted signer certs. It is required.", + Description: "servingInfo describes how to start serving", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.ServingInfo"), + }, + }, + "masterKubeConfig": { + SchemaProps: spec.SchemaProps{ + Description: "masterKubeConfig is a filename for the .kubeconfig file that describes how to connect this node to the master", Default: "", Type: []string{"string"}, Format: "", }, }, - "clientCommonNames": { + "masterClientConnectionOverrides": { SchemaProps: spec.SchemaProps{ - Description: "clientCommonNames is a required list of common names to require a match from.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "masterClientConnectionOverrides provides overrides to the client connection used to connect to the master.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.ClientConnectionOverrides"), }, }, - "usernameHeaders": { + "dnsDomain": { SchemaProps: spec.SchemaProps{ - Description: "usernameHeaders is the list of headers to check for user information. First hit wins.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "dnsDomain holds the domain suffix that will be used for the DNS search path inside each container. Defaults to 'cluster.local'.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "groupHeaders": { + "dnsIP": { SchemaProps: spec.SchemaProps{ - Description: "GroupNameHeader is the set of headers to check for group information. All are unioned.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "dnsIP is the IP address that pods will use to access cluster DNS. Defaults to the service IP of the Kubernetes master. This IP must be listening on port 53 for compatibility with libc resolvers (which cannot be configured to resolve names from any other port). When running more complex local DNS configurations, this is often set to the local address of a DNS proxy like dnsmasq, which then will consult either the local DNS (see dnsBindAddress) or the master DNS.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "extraHeaderPrefixes": { + "dnsBindAddress": { SchemaProps: spec.SchemaProps{ - Description: "extraHeaderPrefixes is the set of request header prefixes to inspect for user extra. X-Remote-Extra- is suggested.", + Description: "dnsBindAddress is the ip:port to serve DNS on. If this is not set, the DNS server will not be started. Because most DNS resolvers will only listen on port 53, if you select an alternative port you will need a DNS proxy like dnsmasq to answer queries for containers. A common configuration is dnsmasq configured on a node IP listening on 53 and delegating queries for dnsDomain to this process, while sending other queries to the host environments nameservers.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "dnsNameservers": { + SchemaProps: spec.SchemaProps{ + Description: "dnsNameservers is a list of ip:port values of recursive nameservers to forward queries to when running a local DNS server if dnsBindAddress is set. If this value is empty, the DNS server will default to the nameservers listed in /etc/resolv.conf. If you have configured dnsmasq or another DNS proxy on the system, this value should be set to the upstream nameservers dnsmasq resolves with.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -32383,455 +33225,413 @@ func schema_openshift_api_legacyconfig_v1_RequestHeaderAuthenticationOptions(ref }, }, }, - }, - Required: []string{"clientCA", "clientCommonNames", "usernameHeaders", "groupHeaders", "extraHeaderPrefixes"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_RequestHeaderIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "RequestHeaderIdentityProvider provides identities for users authenticating using request header credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { + "dnsRecursiveResolvConf": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "dnsRecursiveResolvConf is a path to a resolv.conf file that contains settings for an upstream server. Only the nameservers and port fields are used. The file must exist and parse correctly. It adds extra nameservers to DNSNameservers if set.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "networkPluginName": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "Deprecated and maintained for backward compatibility, use NetworkConfig.NetworkPluginName instead", Type: []string{"string"}, Format: "", }, }, - "loginURL": { + "networkConfig": { SchemaProps: spec.SchemaProps{ - Description: "loginURL is a URL to redirect unauthenticated /authorize requests to Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here ${url} is replaced with the current URL, escaped to be safe in a query parameter\n https://www.example.com/sso-login?then=${url}\n${query} is replaced with the current query string\n https://www.example.com/auth-proxy/oauth/authorize?${query}", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "networkConfig provides network options for the node", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.NodeNetworkConfig"), }, }, - "challengeURL": { + "volumeDirectory": { SchemaProps: spec.SchemaProps{ - Description: "challengeURL is a URL to redirect unauthenticated /authorize requests to Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be redirected here ${url} is replaced with the current URL, escaped to be safe in a query parameter\n https://www.example.com/sso-login?then=${url}\n${query} is replaced with the current query string\n https://www.example.com/auth-proxy/oauth/authorize?${query}", + Description: "volumeDirectory is the directory that volumes will be stored under", Default: "", Type: []string{"string"}, Format: "", }, }, - "clientCA": { + "imageConfig": { SchemaProps: spec.SchemaProps{ - Description: "clientCA is a file with the trusted signer certs. If empty, no request verification is done, and any direct request to the OAuth server can impersonate any identity from this provider, merely by setting a request header.", - Default: "", - Type: []string{"string"}, + Description: "imageConfig holds options that describe how to build image names for system components", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.ImageConfig"), + }, + }, + "allowDisabledDocker": { + SchemaProps: spec.SchemaProps{ + Description: "allowDisabledDocker if true, the Kubelet will ignore errors from Docker. This means that a node can start on a machine that doesn't have docker started.", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, - "clientCommonNames": { + "podManifestConfig": { SchemaProps: spec.SchemaProps{ - Description: "clientCommonNames is an optional list of common names to require a match from. If empty, any client certificate validated against the clientCA bundle is considered authoritative.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "podManifestConfig holds the configuration for enabling the Kubelet to create pods based from a manifest file(s) placed locally on the node", + Ref: ref("github.com/openshift/api/legacyconfig/v1.PodManifestConfig"), }, }, - "headers": { + "authConfig": { SchemaProps: spec.SchemaProps{ - Description: "headers is the set of headers to check for identity information", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "authConfig holds authn/authz configuration options", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.NodeAuthConfig"), }, }, - "preferredUsernameHeaders": { + "dockerConfig": { SchemaProps: spec.SchemaProps{ - Description: "preferredUsernameHeaders is the set of headers to check for the preferred username", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "dockerConfig holds Docker related configuration options.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.DockerConfig"), }, }, - "nameHeaders": { + "kubeletArguments": { SchemaProps: spec.SchemaProps{ - Description: "nameHeaders is the set of headers to check for the display name", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ + Description: "kubeletArguments are key value pairs that will be passed directly to the Kubelet that match the Kubelet's command line arguments. These are not migrated or validated, so if you use them they may become invalid. These values override other settings in NodeConfig which may cause invalid configurations.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, }, }, - "emailHeaders": { + "proxyArguments": { SchemaProps: spec.SchemaProps{ - Description: "emailHeaders is the set of headers to check for the email address", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ + Description: "proxyArguments are key value pairs that will be passed directly to the Proxy that match the Proxy's command line arguments. These are not migrated or validated, so if you use them they may become invalid. These values override other settings in NodeConfig which may cause invalid configurations.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, }, }, - }, - Required: []string{"loginURL", "challengeURL", "clientCA", "clientCommonNames", "headers", "preferredUsernameHeaders", "nameHeaders", "emailHeaders"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_RoutingConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "RoutingConfig holds the necessary configuration options for routing to subdomains", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "subdomain": { - SchemaProps: spec.SchemaProps{ - Description: "subdomain is the suffix appended to $service.$namespace. to form the default route hostname DEPRECATED: This field is being replaced by routers setting their own defaults. This is the \"default\" route.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"subdomain"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_SecurityAllocator(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "SecurityAllocator controls the automatic allocation of UIDs and MCS labels to a project. If nil, allocation is disabled.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "uidAllocatorRange": { + "iptablesSyncPeriod": { SchemaProps: spec.SchemaProps{ - Description: "uidAllocatorRange defines the total set of Unix user IDs (UIDs) that will be allocated to projects automatically, and the size of the block each namespace gets. For example, 1000-1999/10 will allocate ten UIDs per namespace, and will be able to allocate up to 100 blocks before running out of space. The default is to allocate from 1 billion to 2 billion in 10k blocks (which is the expected size of the ranges container images will use once user namespaces are started).", + Description: "iptablesSyncPeriod is how often iptable rules are refreshed", Default: "", Type: []string{"string"}, Format: "", }, }, - "mcsAllocatorRange": { + "enableUnidling": { SchemaProps: spec.SchemaProps{ - Description: "mcsAllocatorRange defines the range of MCS categories that will be assigned to namespaces. The format is \"/[,]\". The default is \"s0/2\" and will allocate from c0 -> c1023, which means a total of 535k labels are available (1024 choose 2 ~ 535k). If this value is changed after startup, new projects may receive labels that are already allocated to other projects. Prefix may be any valid SELinux set of terms (including user, role, and type), although leaving them as the default will allow the server to set them automatically.\n\nExamples: * s0:/2 - Allocate labels from s0:c0,c0 to s0:c511,c511 * s0:/2,512 - Allocate labels from s0:c0,c0,c0 to s0:c511,c511,511", - Default: "", - Type: []string{"string"}, + Description: "enableUnidling controls whether or not the hybrid unidling proxy will be set up", + Type: []string{"boolean"}, Format: "", }, }, - "mcsLabelsPerProject": { + "volumeConfig": { SchemaProps: spec.SchemaProps{ - Description: "mcsLabelsPerProject defines the number of labels that should be reserved per project. The default is 5 to match the default UID and MCS ranges (100k namespaces, 535k/5 labels).", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "volumeConfig contains options for configuring volumes on the node.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.NodeVolumeConfig"), }, }, }, - Required: []string{"uidAllocatorRange", "mcsAllocatorRange", "mcsLabelsPerProject"}, + Required: []string{"nodeName", "nodeIP", "servingInfo", "masterKubeConfig", "masterClientConnectionOverrides", "dnsDomain", "dnsIP", "dnsBindAddress", "dnsNameservers", "dnsRecursiveResolvConf", "networkConfig", "volumeDirectory", "imageConfig", "allowDisabledDocker", "podManifestConfig", "authConfig", "dockerConfig", "iptablesSyncPeriod", "enableUnidling", "volumeConfig"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.ClientConnectionOverrides", "github.com/openshift/api/legacyconfig/v1.DockerConfig", "github.com/openshift/api/legacyconfig/v1.ImageConfig", "github.com/openshift/api/legacyconfig/v1.NodeAuthConfig", "github.com/openshift/api/legacyconfig/v1.NodeNetworkConfig", "github.com/openshift/api/legacyconfig/v1.NodeVolumeConfig", "github.com/openshift/api/legacyconfig/v1.PodManifestConfig", "github.com/openshift/api/legacyconfig/v1.ServingInfo"}, } } -func schema_openshift_api_legacyconfig_v1_ServiceAccountConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_NodeNetworkConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ServiceAccountConfig holds the necessary configuration options for a service account", + Description: "NodeNetworkConfig provides network options for the node", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "managedNames": { - SchemaProps: spec.SchemaProps{ - Description: "managedNames is a list of service account names that will be auto-created in every namespace. If no names are specified, the ServiceAccountsController will not be started.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "limitSecretReferences": { - SchemaProps: spec.SchemaProps{ - Description: "limitSecretReferences controls whether or not to allow a service account to reference any secret in a namespace without explicitly referencing them", - Default: false, - Type: []string{"boolean"}, - Format: "", - }, - }, - "privateKeyFile": { + "networkPluginName": { SchemaProps: spec.SchemaProps{ - Description: "privateKeyFile is a file containing a PEM-encoded private RSA key, used to sign service account tokens. If no private key is specified, the service account TokensController will not be started.", + Description: "networkPluginName is a string specifying the networking plugin", Default: "", Type: []string{"string"}, Format: "", }, }, - "publicKeyFiles": { - SchemaProps: spec.SchemaProps{ - Description: "publicKeyFiles is a list of files, each containing a PEM-encoded public RSA key. (If any file contains a private key, the public portion of the key is used) The list of public keys is used to verify presented service account tokens. Each key is tried in order until the list is exhausted or verification succeeds. If no keys are specified, no service account authentication will be available.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "masterCA": { + "mtu": { SchemaProps: spec.SchemaProps{ - Description: "masterCA is the CA for verifying the TLS connection back to the master. The service account controller will automatically inject the contents of this file into pods so they can verify connections to the master.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "Maximum transmission unit for the network packets", + Default: 0, + Type: []string{"integer"}, + Format: "int64", }, }, }, - Required: []string{"managedNames", "limitSecretReferences", "privateKeyFile", "publicKeyFiles", "masterCA"}, + Required: []string{"networkPluginName", "mtu"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_ServiceServingCert(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_NodeVolumeConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for pods fulfilling a service to serve with.", + Description: "NodeVolumeConfig contains options for configuring volumes on the node.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "signer": { + "localQuota": { SchemaProps: spec.SchemaProps{ - Description: "signer holds the signing information used to automatically sign serving certificates. If this value is nil, then certs are not signed automatically.", - Ref: ref("github.com/openshift/api/legacyconfig/v1.CertInfo"), + Description: "localQuota contains options for controlling local volume quota on the node.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.LocalQuota"), }, }, }, - Required: []string{"signer"}, + Required: []string{"localQuota"}, }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.CertInfo"}, + "github.com/openshift/api/legacyconfig/v1.LocalQuota"}, } } -func schema_openshift_api_legacyconfig_v1_ServingInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_OAuthConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ServingInfo holds information about serving web pages", + Description: "OAuthConfig holds the necessary configuration options for OAuth authentication", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "bindAddress": { + "masterCA": { SchemaProps: spec.SchemaProps{ - Description: "bindAddress is the ip:port to serve on", - Default: "", + Description: "masterCA is the CA for verifying the TLS connection back to the MasterURL.", Type: []string{"string"}, Format: "", }, }, - "bindNetwork": { + "masterURL": { SchemaProps: spec.SchemaProps{ - Description: "bindNetwork is the type of network to bind to - defaults to \"tcp4\", accepts \"tcp\", \"tcp4\", and \"tcp6\"", + Description: "masterURL is used for making server-to-server calls to exchange authorization codes for access tokens", Default: "", Type: []string{"string"}, Format: "", }, }, - "certFile": { + "masterPublicURL": { SchemaProps: spec.SchemaProps{ - Description: "certFile is a file containing a PEM-encoded certificate", + Description: "masterPublicURL is used for building valid client redirect URLs for internal and external access", Default: "", Type: []string{"string"}, Format: "", }, }, - "keyFile": { + "assetPublicURL": { SchemaProps: spec.SchemaProps{ - Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Description: "assetPublicURL is used for building valid client redirect URLs for external access", Default: "", Type: []string{"string"}, Format: "", }, }, - "clientCA": { + "alwaysShowProviderSelection": { SchemaProps: spec.SchemaProps{ - Description: "clientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates", - Default: "", - Type: []string{"string"}, + Description: "alwaysShowProviderSelection will force the provider selection page to render even when there is only a single provider.", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, - "namedCertificates": { + "identityProviders": { SchemaProps: spec.SchemaProps{ - Description: "namedCertificates is a list of certificates to use to secure requests to specific hostnames", + Description: "identityProviders is an ordered list of ways for a user to identify themselves", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.NamedCertificate"), + Ref: ref("github.com/openshift/api/legacyconfig/v1.IdentityProvider"), }, }, }, }, }, - "minTLSVersion": { + "grantConfig": { SchemaProps: spec.SchemaProps{ - Description: "minTLSVersion is the minimum TLS version supported. Values must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants", - Type: []string{"string"}, - Format: "", + Description: "grantConfig describes how to handle grants", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.GrantConfig"), }, }, - "cipherSuites": { + "sessionConfig": { SchemaProps: spec.SchemaProps{ - Description: "cipherSuites contains an overridden list of ciphers for the server to support. Values must match cipher suite IDs from https://golang.org/pkg/crypto/tls/#pkg-constants", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "sessionConfig hold information about configuring sessions.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.SessionConfig"), + }, + }, + "tokenConfig": { + SchemaProps: spec.SchemaProps{ + Description: "tokenConfig contains options for authorization and access tokens", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.TokenConfig"), + }, + }, + "templates": { + SchemaProps: spec.SchemaProps{ + Description: "templates allow you to customize pages like the login page.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.OAuthTemplates"), }, }, }, - Required: []string{"bindAddress", "bindNetwork", "certFile", "keyFile", "clientCA", "namedCertificates"}, + Required: []string{"masterCA", "masterURL", "masterPublicURL", "assetPublicURL", "alwaysShowProviderSelection", "identityProviders", "grantConfig", "sessionConfig", "tokenConfig", "templates"}, }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.NamedCertificate"}, + "github.com/openshift/api/legacyconfig/v1.GrantConfig", "github.com/openshift/api/legacyconfig/v1.IdentityProvider", "github.com/openshift/api/legacyconfig/v1.OAuthTemplates", "github.com/openshift/api/legacyconfig/v1.SessionConfig", "github.com/openshift/api/legacyconfig/v1.TokenConfig"}, } } -func schema_openshift_api_legacyconfig_v1_SessionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_OAuthTemplates(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "SessionConfig specifies options for cookie-based sessions. Used by AuthRequestHandlerSession", + Description: "OAuthTemplates allow for customization of pages like the login page", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "sessionSecretsFile": { + "login": { SchemaProps: spec.SchemaProps{ - Description: "sessionSecretsFile is a reference to a file containing a serialized SessionSecrets object If no file is specified, a random signing and encryption key are generated at each server start", + Description: "login is a path to a file containing a go template used to render the login page. If unspecified, the default login page is used.", Default: "", Type: []string{"string"}, Format: "", }, }, - "sessionMaxAgeSeconds": { + "providerSelection": { SchemaProps: spec.SchemaProps{ - Description: "sessionMaxAgeSeconds specifies how long created sessions last. Used by AuthRequestHandlerSession", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "providerSelection is a path to a file containing a go template used to render the provider selection page. If unspecified, the default provider selection page is used.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "sessionName": { + "error": { SchemaProps: spec.SchemaProps{ - Description: "sessionName is the cookie name used to store the session", + Description: "error is a path to a file containing a go template used to render error pages during the authentication or grant flow If unspecified, the default error page is used.", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"sessionSecretsFile", "sessionMaxAgeSeconds", "sessionName"}, + Required: []string{"login", "providerSelection", "error"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_SessionSecret(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_OpenIDClaims(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "SessionSecret is a secret used to authenticate/decrypt cookie-based sessions", + Description: "OpenIDClaims contains a list of OpenID claims to use when authenticating with an OpenID identity provider", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "authentication": { + "id": { SchemaProps: spec.SchemaProps{ - Description: "authentication is used to authenticate sessions using HMAC. Recommended to use a secret with 32 or 64 bytes.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "id is the list of claims whose values should be used as the user ID. Required. OpenID standard identity claim is \"sub\"", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "encryption": { + "preferredUsername": { SchemaProps: spec.SchemaProps{ - Description: "encryption is used to encrypt sessions. Must be 16, 24, or 32 characters long, to select AES-128, AES-", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "preferredUsername is the list of claims whose values should be used as the preferred username. If unspecified, the preferred username is determined from the value of the id claim", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is the list of claims whose values should be used as the display name. Optional. If unspecified, no display name is set for the identity", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "email": { + SchemaProps: spec.SchemaProps{ + Description: "email is the list of claims whose values should be used as the email address. Optional. If unspecified, no email is set for the identity", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, - Required: []string{"authentication", "encryption"}, + Required: []string{"id", "preferredUsername", "name", "email"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_SessionSecrets(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_OpenIDIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "SessionSecrets list the secrets to use to sign/encrypt and authenticate/decrypt created sessions.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "OpenIDIdentityProvider provides identities for users authenticating using OpenID credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -32848,241 +33648,244 @@ func schema_openshift_api_legacyconfig_v1_SessionSecrets(ref common.ReferenceCal Format: "", }, }, - "secrets": { + "ca": { + SchemaProps: spec.SchemaProps{ + Description: "ca is the optional trusted certificate authority bundle to use when making requests to the server If empty, the default system roots are used", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "clientID": { + SchemaProps: spec.SchemaProps{ + Description: "clientID is the oauth client ID", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "clientSecret": { + SchemaProps: spec.SchemaProps{ + Description: "clientSecret is the oauth client secret", + Ref: ref("github.com/openshift/api/legacyconfig/v1.StringSource"), + }, + }, + "extraScopes": { + SchemaProps: spec.SchemaProps{ + Description: "extraScopes are any scopes to request in addition to the standard \"openid\" scope.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "extraAuthorizeParameters": { SchemaProps: spec.SchemaProps{ - Description: "secrets is a list of secrets New sessions are signed and encrypted using the first secret. Existing sessions are decrypted/authenticated by each secret until one succeeds. This allows rotating secrets.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ + Description: "extraAuthorizeParameters are any custom parameters to add to the authorize request.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.SessionSecret"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - }, - Required: []string{"secrets"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.SessionSecret"}, - } -} - -func schema_openshift_api_legacyconfig_v1_SourceStrategyDefaultsConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "SourceStrategyDefaultsConfig contains values that apply to builds using the source strategy.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "incremental": { + "urls": { SchemaProps: spec.SchemaProps{ - Description: "incremental indicates if s2i build strategies should perform an incremental build or not", - Type: []string{"boolean"}, - Format: "", + Description: "urls to use to authenticate", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.OpenIDURLs"), + }, + }, + "claims": { + SchemaProps: spec.SchemaProps{ + Description: "claims mappings", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.OpenIDClaims"), }, }, }, + Required: []string{"ca", "clientID", "clientSecret", "extraScopes", "extraAuthorizeParameters", "urls", "claims"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.OpenIDClaims", "github.com/openshift/api/legacyconfig/v1.OpenIDURLs", "github.com/openshift/api/legacyconfig/v1.StringSource"}, } } -func schema_openshift_api_legacyconfig_v1_StringSource(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_OpenIDURLs(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "StringSource allows specifying a string inline, or externally via env var or file. When it contains only a string value, it marshals to a simple JSON string.", + Description: "OpenIDURLs are URLs to use when authenticating with an OpenID identity provider", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "value": { - SchemaProps: spec.SchemaProps{ - Description: "value specifies the cleartext value, or an encrypted value if keyFile is specified.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "env": { + "authorize": { SchemaProps: spec.SchemaProps{ - Description: "env specifies an envvar containing the cleartext value, or an encrypted value if the keyFile is specified.", + Description: "authorize is the oauth authorization URL", Default: "", Type: []string{"string"}, Format: "", }, }, - "file": { + "token": { SchemaProps: spec.SchemaProps{ - Description: "file references a file containing the cleartext value, or an encrypted value if a keyFile is specified.", + Description: "token is the oauth token granting URL", Default: "", Type: []string{"string"}, Format: "", }, }, - "keyFile": { + "userInfo": { SchemaProps: spec.SchemaProps{ - Description: "keyFile references a file containing the key to use to decrypt the value.", + Description: "userInfo is the optional userinfo URL. If present, a granted access_token is used to request claims If empty, a granted id_token is parsed for claims", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"value", "env", "file", "keyFile"}, + Required: []string{"authorize", "token", "userInfo"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_StringSourceSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_PodManifestConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "StringSourceSpec specifies a string value, or external location", + Description: "PodManifestConfig holds the necessary configuration options for using pod manifests", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "value": { - SchemaProps: spec.SchemaProps{ - Description: "value specifies the cleartext value, or an encrypted value if keyFile is specified.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "env": { - SchemaProps: spec.SchemaProps{ - Description: "env specifies an envvar containing the cleartext value, or an encrypted value if the keyFile is specified.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "file": { + "path": { SchemaProps: spec.SchemaProps{ - Description: "file references a file containing the cleartext value, or an encrypted value if a keyFile is specified.", + Description: "path specifies the path for the pod manifest file or directory If its a directory, its expected to contain on or more manifest files This is used by the Kubelet to create pods on the node", Default: "", Type: []string{"string"}, Format: "", }, }, - "keyFile": { + "fileCheckIntervalSeconds": { SchemaProps: spec.SchemaProps{ - Description: "keyFile references a file containing the key to use to decrypt the value.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "fileCheckIntervalSeconds is the interval in seconds for checking the manifest file(s) for new data The interval needs to be a positive value", + Default: 0, + Type: []string{"integer"}, + Format: "int64", }, }, }, - Required: []string{"value", "env", "file", "keyFile"}, + Required: []string{"path", "fileCheckIntervalSeconds"}, }, }, } } -func schema_openshift_api_legacyconfig_v1_TokenConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_PolicyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "TokenConfig holds the necessary configuration options for authorization and access tokens", + Description: "holds the necessary configuration options for", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "authorizeTokenMaxAgeSeconds": { - SchemaProps: spec.SchemaProps{ - Description: "authorizeTokenMaxAgeSeconds defines the maximum age of authorize tokens", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "accessTokenMaxAgeSeconds": { - SchemaProps: spec.SchemaProps{ - Description: "accessTokenMaxAgeSeconds defines the maximum age of access tokens", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "accessTokenInactivityTimeoutSeconds": { + "userAgentMatchingConfig": { SchemaProps: spec.SchemaProps{ - Description: "accessTokenInactivityTimeoutSeconds defined the default token inactivity timeout for tokens granted by any client. Setting it to nil means the feature is completely disabled (default) The default setting can be overriden on OAuthClient basis. The value represents the maximum amount of time that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. The user will need to acquire a new token to regain access once a token times out. Valid values are: - 0: Tokens never time out - X: Tokens time out if there is no activity for X seconds The current minimum allowed value for X is 300 (5 minutes)", - Type: []string{"integer"}, - Format: "int32", + Description: "userAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.UserAgentMatchingConfig"), }, }, }, - Required: []string{"authorizeTokenMaxAgeSeconds", "accessTokenMaxAgeSeconds"}, + Required: []string{"userAgentMatchingConfig"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.UserAgentMatchingConfig"}, } } -func schema_openshift_api_legacyconfig_v1_UserAgentDenyRule(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ProjectConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "UserAgentDenyRule adds a rejection message that can be used to help a user figure out how to get an approved client", + Description: "holds the necessary configuration options for", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "regex": { + "defaultNodeSelector": { SchemaProps: spec.SchemaProps{ - Description: "UserAgentRegex is a regex that is checked against the User-Agent. Known variants of oc clients 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f", + Description: "defaultNodeSelector holds default project node label selector", Default: "", Type: []string{"string"}, Format: "", }, }, - "httpVerbs": { + "projectRequestMessage": { SchemaProps: spec.SchemaProps{ - Description: "httpVerbs specifies which HTTP verbs should be matched. An empty list means \"match all verbs\".", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "projectRequestMessage is the string presented to a user if they are unable to request a project via the projectrequest api endpoint", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "rejectionMessage": { + "projectRequestTemplate": { SchemaProps: spec.SchemaProps{ - Description: "rejectionMessage is the message shown when rejecting a client. If it is not a set, the default message is used.", + Description: "projectRequestTemplate is the template to use for creating projects in response to projectrequest. It is in the format namespace/template and it is optional. If it is not specified, a default template is used.", Default: "", Type: []string{"string"}, Format: "", }, }, + "securityAllocator": { + SchemaProps: spec.SchemaProps{ + Description: "securityAllocator controls the automatic allocation of UIDs and MCS labels to a project. If nil, allocation is disabled.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.SecurityAllocator"), + }, + }, }, - Required: []string{"regex", "httpVerbs", "rejectionMessage"}, + Required: []string{"defaultNodeSelector", "projectRequestMessage", "projectRequestTemplate", "securityAllocator"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.SecurityAllocator"}, } } -func schema_openshift_api_legacyconfig_v1_UserAgentMatchRule(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_RFC2307Config(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "UserAgentMatchRule describes how to match a given request based on User-Agent and HTTPVerb", + Description: "RFC2307Config holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the RFC2307 schema", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "regex": { + "groupsQuery": { SchemaProps: spec.SchemaProps{ - Description: "UserAgentRegex is a regex that is checked against the User-Agent. Known variants of oc clients 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f", + Description: "AllGroupsQuery holds the template for an LDAP query that returns group entries.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), + }, + }, + "groupUIDAttribute": { + SchemaProps: spec.SchemaProps{ + Description: "GroupUIDAttributes defines which attribute on an LDAP group entry will be interpreted as its unique identifier. (ldapGroupUID)", Default: "", Type: []string{"string"}, Format: "", }, }, - "httpVerbs": { + "groupNameAttributes": { SchemaProps: spec.SchemaProps{ - Description: "httpVerbs specifies which HTTP verbs should be matched. An empty list means \"match all verbs\".", + Description: "groupNameAttributes defines which attributes on an LDAP group entry will be interpreted as its name to use for an OpenShift group", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -33095,168 +33898,169 @@ func schema_openshift_api_legacyconfig_v1_UserAgentMatchRule(ref common.Referenc }, }, }, - }, - Required: []string{"regex", "httpVerbs"}, - }, - }, - } -} - -func schema_openshift_api_legacyconfig_v1_UserAgentMatchingConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "requiredClients": { + "groupMembershipAttributes": { SchemaProps: spec.SchemaProps{ - Description: "If this list is non-empty, then a User-Agent must match one of the UserAgentRegexes to be allowed", + Description: "groupMembershipAttributes defines which attributes on an LDAP group entry will be interpreted as its members. The values contained in those attributes must be queryable by your UserUIDAttribute", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.UserAgentMatchRule"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "deniedClients": { + "usersQuery": { SchemaProps: spec.SchemaProps{ - Description: "If this list is non-empty, then a User-Agent must not match any of the UserAgentRegexes", + Description: "AllUsersQuery holds the template for an LDAP query that returns user entries.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.LDAPQuery"), + }, + }, + "userUIDAttribute": { + SchemaProps: spec.SchemaProps{ + Description: "userUIDAttribute defines which attribute on an LDAP user entry will be interpreted as its unique identifier. It must correspond to values that will be found from the GroupMembershipAttributes", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "userNameAttributes": { + SchemaProps: spec.SchemaProps{ + Description: "userNameAttributes defines which attributes on an LDAP user entry will be used, in order, as its OpenShift user name. The first attribute with a non-empty value is used. This should match your PreferredUsername setting for your LDAPPasswordIdentityProvider", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/legacyconfig/v1.UserAgentDenyRule"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "defaultRejectionMessage": { + "tolerateMemberNotFoundErrors": { SchemaProps: spec.SchemaProps{ - Description: "defaultRejectionMessage is the message shown when rejecting a client. If it is not a set, a generic message is given.", - Default: "", - Type: []string{"string"}, + Description: "tolerateMemberNotFoundErrors determines the behavior of the LDAP sync job when missing user entries are encountered. If 'true', an LDAP query for users that doesn't find any will be tolerated and an only and error will be logged. If 'false', the LDAP sync job will fail if a query for users doesn't find any. The default value is 'false'. Misconfigured LDAP sync jobs with this flag set to 'true' can cause group membership to be removed, so it is recommended to use this flag with caution.", + Default: false, + Type: []string{"boolean"}, + Format: "", + }, + }, + "tolerateMemberOutOfScopeErrors": { + SchemaProps: spec.SchemaProps{ + Description: "tolerateMemberOutOfScopeErrors determines the behavior of the LDAP sync job when out-of-scope user entries are encountered. If 'true', an LDAP query for a user that falls outside of the base DN given for the all user query will be tolerated and only an error will be logged. If 'false', the LDAP sync job will fail if a user query would search outside of the base DN specified by the all user query. Misconfigured LDAP sync jobs with this flag set to 'true' can result in groups missing users, so it is recommended to use this flag with caution.", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, }, - Required: []string{"requiredClients", "deniedClients", "defaultRejectionMessage"}, + Required: []string{"groupsQuery", "groupUIDAttribute", "groupNameAttributes", "groupMembershipAttributes", "usersQuery", "userUIDAttribute", "userNameAttributes", "tolerateMemberNotFoundErrors", "tolerateMemberOutOfScopeErrors"}, }, }, Dependencies: []string{ - "github.com/openshift/api/legacyconfig/v1.UserAgentDenyRule", "github.com/openshift/api/legacyconfig/v1.UserAgentMatchRule"}, + "github.com/openshift/api/legacyconfig/v1.LDAPQuery"}, } } -func schema_openshift_api_legacyconfig_v1_WebhookTokenAuthenticator(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_RegistryLocation(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "WebhookTokenAuthenticators holds the necessary configuation options for external token authenticators", + Description: "RegistryLocation contains a location of the registry specified by the registry domain name. The domain name might include wildcards, like '*' or '??'.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "configFile": { + "domainName": { SchemaProps: spec.SchemaProps{ - Description: "configFile is a path to a Kubeconfig file with the webhook configuration", + Description: "domainName specifies a domain name for the registry In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well.", Default: "", Type: []string{"string"}, Format: "", }, }, - "cacheTTL": { + "insecure": { SchemaProps: spec.SchemaProps{ - Description: "cacheTTL indicates how long an authentication result should be cached. It takes a valid time duration string (e.g. \"5m\"). If empty, you get a default timeout of 2 minutes. If zero (e.g. \"0m\"), caching is disabled", - Default: "", - Type: []string{"string"}, + Description: "insecure indicates whether the registry is secure (https) or insecure (http) By default (if not specified) the registry is assumed as secure.", + Type: []string{"boolean"}, Format: "", }, }, }, - Required: []string{"configFile", "cacheTTL"}, + Required: []string{"domainName"}, }, }, } } -func schema_openshift_api_machine_v1_AWSFailureDomain(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_RemoteConnectionInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AWSFailureDomain configures failure domain information for the AWS platform.", + Description: "RemoteConnectionInfo holds information necessary for establishing a remote connection", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "subnet": { + "url": { SchemaProps: spec.SchemaProps{ - Description: "subnet is a reference to the subnet to use for this instance.", - Ref: ref("github.com/openshift/api/machine/v1.AWSResourceReference"), + Description: "url is the remote URL to connect to", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "placement": { + "ca": { SchemaProps: spec.SchemaProps{ - Description: "placement configures the placement information for this instance.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.AWSFailureDomainPlacement"), + Description: "ca is the CA for verifying TLS connections", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1.AWSFailureDomainPlacement", "github.com/openshift/api/machine/v1.AWSResourceReference"}, - } -} - -func schema_openshift_api_machine_v1_AWSFailureDomainPlacement(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "AWSFailureDomainPlacement configures the placement information for the AWSFailureDomain.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "availabilityZone": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "availabilityZone is the availability zone of the instance.", + Description: "certFile is a file containing a PEM-encoded certificate", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "keyFile": { + SchemaProps: spec.SchemaProps{ + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"availabilityZone"}, + Required: []string{"url", "ca", "certFile", "keyFile"}, }, }, } } -func schema_openshift_api_machine_v1_AWSResourceFilter(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_RequestHeaderAuthenticationOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AWSResourceFilter is a filter used to identify an AWS resource", + Description: "RequestHeaderAuthenticationOptions provides options for setting up a front proxy against the entire API instead of against the /oauth endpoint.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "clientCA": { SchemaProps: spec.SchemaProps{ - Description: "name of the filter. Filter names are case-sensitive.", + Description: "clientCA is a file with the trusted signer certs. It is required.", Default: "", Type: []string{"string"}, Format: "", }, }, - "values": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, + "clientCommonNames": { SchemaProps: spec.SchemaProps{ - Description: "values includes one or more filter values. Filter values are case-sensitive.", + Description: "clientCommonNames is a required list of common names to require a match from.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -33269,89 +34073,63 @@ func schema_openshift_api_machine_v1_AWSResourceFilter(ref common.ReferenceCallb }, }, }, - }, - Required: []string{"name"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1_AWSResourceReference(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "AWSResourceReference is a reference to a specific AWS resource by ID, ARN, or filters. Only one of ID, ARN or Filters may be specified. Specifying more than one will result in a validation error.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "type": { - SchemaProps: spec.SchemaProps{ - Description: "type determines how the reference will fetch the AWS resource.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "id": { - SchemaProps: spec.SchemaProps{ - Description: "id of resource.", - Type: []string{"string"}, - Format: "", - }, - }, - "arn": { + "usernameHeaders": { SchemaProps: spec.SchemaProps{ - Description: "arn of resource.", - Type: []string{"string"}, - Format: "", - }, - }, - "filters": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", + Description: "usernameHeaders is the list of headers to check for user information. First hit wins.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, }, }, + }, + "groupHeaders": { SchemaProps: spec.SchemaProps{ - Description: "filters is a set of filters used to identify a resource.", + Description: "GroupNameHeader is the set of headers to check for group information. All are unioned.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.AWSResourceFilter"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - }, - Required: []string{"type"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "type", - "fields-to-discriminateBy": map[string]interface{}{ - "arn": "ARN", - "filters": "Filters", - "id": "ID", + "extraHeaderPrefixes": { + SchemaProps: spec.SchemaProps{ + Description: "extraHeaderPrefixes is the set of request header prefixes to inspect for user extra. X-Remote-Extra- is suggested.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, }, }, }, }, + Required: []string{"clientCA", "clientCommonNames", "usernameHeaders", "groupHeaders", "extraHeaderPrefixes"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1.AWSResourceFilter"}, } } -func schema_openshift_api_machine_v1_AlibabaCloudMachineProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_RequestHeaderIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AlibabaCloudMachineProviderConfig is the Schema for the alibabacloudmachineproviderconfig API Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "RequestHeaderIdentityProvider provides identities for users authenticating using request header credentials\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -33368,441 +34146,427 @@ func schema_openshift_api_machine_v1_AlibabaCloudMachineProviderConfig(ref commo Format: "", }, }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), - }, - }, - "instanceType": { + "loginURL": { SchemaProps: spec.SchemaProps{ - Description: "The instance type of the instance.", + Description: "loginURL is a URL to redirect unauthenticated /authorize requests to Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here ${url} is replaced with the current URL, escaped to be safe in a query parameter\n https://www.example.com/sso-login?then=${url}\n${query} is replaced with the current query string\n https://www.example.com/auth-proxy/oauth/authorize?${query}", Default: "", Type: []string{"string"}, Format: "", }, }, - "vpcId": { + "challengeURL": { SchemaProps: spec.SchemaProps{ - Description: "The ID of the vpc", + Description: "challengeURL is a URL to redirect unauthenticated /authorize requests to Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be redirected here ${url} is replaced with the current URL, escaped to be safe in a query parameter\n https://www.example.com/sso-login?then=${url}\n${query} is replaced with the current query string\n https://www.example.com/auth-proxy/oauth/authorize?${query}", Default: "", Type: []string{"string"}, Format: "", }, }, - "regionId": { + "clientCA": { SchemaProps: spec.SchemaProps{ - Description: "The ID of the region in which to create the instance. You can call the DescribeRegions operation to query the most recent region list.", + Description: "clientCA is a file with the trusted signer certs. If empty, no request verification is done, and any direct request to the OAuth server can impersonate any identity from this provider, merely by setting a request header.", Default: "", Type: []string{"string"}, Format: "", }, }, - "zoneId": { + "clientCommonNames": { SchemaProps: spec.SchemaProps{ - Description: "The ID of the zone in which to create the instance. You can call the DescribeZones operation to query the most recent region list.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "clientCommonNames is an optional list of common names to require a match from. If empty, any client certificate validated against the clientCA bundle is considered authoritative.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "imageId": { + "headers": { SchemaProps: spec.SchemaProps{ - Description: "The ID of the image used to create the instance.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "headers is the set of headers to check for identity information", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "dataDisk": { + "preferredUsernameHeaders": { + SchemaProps: spec.SchemaProps{ + Description: "preferredUsernameHeaders is the set of headers to check for the preferred username", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "nameHeaders": { SchemaProps: spec.SchemaProps{ - Description: "DataDisks holds information regarding the extra disks attached to the instance", + Description: "nameHeaders is the set of headers to check for the display name", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.DataDiskProperties"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "securityGroups": { + "emailHeaders": { SchemaProps: spec.SchemaProps{ - Description: "securityGroups is a list of security group references to assign to the instance. A reference holds either the security group ID, the resource name, or the required tags to search. When more than one security group is returned for a tag search, all the groups are associated with the instance up to the maximum number of security groups to which an instance can belong. For more information, see the \"Security group limits\" section in Limits. https://www.alibabacloud.com/help/en/doc-detail/25412.htm", + Description: "emailHeaders is the set of headers to check for the email address", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.AlibabaResourceReference"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "bandwidth": { - SchemaProps: spec.SchemaProps{ - Description: "bandwidth describes the internet bandwidth strategy for the instance", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.BandwidthProperties"), - }, - }, - "systemDisk": { + }, + Required: []string{"loginURL", "challengeURL", "clientCA", "clientCommonNames", "headers", "preferredUsernameHeaders", "nameHeaders", "emailHeaders"}, + }, + }, + } +} + +func schema_openshift_api_legacyconfig_v1_RoutingConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "RoutingConfig holds the necessary configuration options for routing to subdomains", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "subdomain": { SchemaProps: spec.SchemaProps{ - Description: "systemDisk holds the properties regarding the system disk for the instance", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.SystemDiskProperties"), + Description: "subdomain is the suffix appended to $service.$namespace. to form the default route hostname DEPRECATED: This field is being replaced by routers setting their own defaults. This is the \"default\" route.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "vSwitch": { + }, + Required: []string{"subdomain"}, + }, + }, + } +} + +func schema_openshift_api_legacyconfig_v1_SecurityAllocator(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SecurityAllocator controls the automatic allocation of UIDs and MCS labels to a project. If nil, allocation is disabled.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "uidAllocatorRange": { SchemaProps: spec.SchemaProps{ - Description: "vSwitch is a reference to the vswitch to use for this instance. A reference holds either the vSwitch ID, the resource name, or the required tags to search. When more than one vSwitch is returned for a tag search, only the first vSwitch returned will be used. This parameter is required when you create an instance of the VPC type. You can call the DescribeVSwitches operation to query the created vSwitches.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.AlibabaResourceReference"), + Description: "uidAllocatorRange defines the total set of Unix user IDs (UIDs) that will be allocated to projects automatically, and the size of the block each namespace gets. For example, 1000-1999/10 will allocate ten UIDs per namespace, and will be able to allocate up to 100 blocks before running out of space. The default is to allocate from 1 billion to 2 billion in 10k blocks (which is the expected size of the ranges container images will use once user namespaces are started).", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "ramRoleName": { + "mcsAllocatorRange": { SchemaProps: spec.SchemaProps{ - Description: "ramRoleName is the name of the instance Resource Access Management (RAM) role. This allows the instance to perform API calls as this specified RAM role.", + Description: "mcsAllocatorRange defines the range of MCS categories that will be assigned to namespaces. The format is \"/[,]\". The default is \"s0/2\" and will allocate from c0 -> c1023, which means a total of 535k labels are available (1024 choose 2 ~ 535k). If this value is changed after startup, new projects may receive labels that are already allocated to other projects. Prefix may be any valid SELinux set of terms (including user, role, and type), although leaving them as the default will allow the server to set them automatically.\n\nExamples: * s0:/2 - Allocate labels from s0:c0,c0 to s0:c511,c511 * s0:/2,512 - Allocate labels from s0:c0,c0,c0 to s0:c511,c511,511", + Default: "", Type: []string{"string"}, Format: "", }, }, - "resourceGroup": { + "mcsLabelsPerProject": { SchemaProps: spec.SchemaProps{ - Description: "resourceGroup references the resource group to which to assign the instance. A reference holds either the resource group ID, the resource name, or the required tags to search. When more than one resource group are returned for a search, an error will be produced and the Machine will not be created. Resource Groups do not support searching by tags.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.AlibabaResourceReference"), + Description: "mcsLabelsPerProject defines the number of labels that should be reserved per project. The default is 5 to match the default UID and MCS ranges (100k namespaces, 535k/5 labels).", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "tenancy": { + }, + Required: []string{"uidAllocatorRange", "mcsAllocatorRange", "mcsLabelsPerProject"}, + }, + }, + } +} + +func schema_openshift_api_legacyconfig_v1_ServiceAccountConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ServiceAccountConfig holds the necessary configuration options for a service account", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "managedNames": { SchemaProps: spec.SchemaProps{ - Description: "tenancy specifies whether to create the instance on a dedicated host. Valid values:\n\ndefault: creates the instance on a non-dedicated host. host: creates the instance on a dedicated host. If you do not specify the DedicatedHostID parameter, Alibaba Cloud automatically selects a dedicated host for the instance. Empty value means no opinion and the platform chooses the a default, which is subject to change over time. Currently the default is `default`.", - Type: []string{"string"}, - Format: "", + Description: "managedNames is a list of service account names that will be auto-created in every namespace. If no names are specified, the ServiceAccountsController will not be started.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "userDataSecret": { + "limitSecretReferences": { SchemaProps: spec.SchemaProps{ - Description: "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", - Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + Description: "limitSecretReferences controls whether or not to allow a service account to reference any secret in a namespace without explicitly referencing them", + Default: false, + Type: []string{"boolean"}, + Format: "", }, }, - "credentialsSecret": { + "privateKeyFile": { SchemaProps: spec.SchemaProps{ - Description: "credentialsSecret is a reference to the secret with alibabacloud credentials. Otherwise, defaults to permissions provided by attached RAM role where the actuator is running.", - Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + Description: "privateKeyFile is a file containing a PEM-encoded private RSA key, used to sign service account tokens. If no private key is specified, the service account TokensController will not be started.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "tag": { + "publicKeyFiles": { SchemaProps: spec.SchemaProps{ - Description: "Tags are the set of metadata to add to an instance.", + Description: "publicKeyFiles is a list of files, each containing a PEM-encoded public RSA key. (If any file contains a private key, the public portion of the key is used) The list of public keys is used to verify presented service account tokens. Each key is tried in order until the list is exhausted or verification succeeds. If no keys are specified, no service account authentication will be available.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.Tag"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, + "masterCA": { + SchemaProps: spec.SchemaProps{ + Description: "masterCA is the CA for verifying the TLS connection back to the master. The service account controller will automatically inject the contents of this file into pods so they can verify connections to the master.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, }, - Required: []string{"instanceType", "vpcId", "regionId", "zoneId", "imageId", "vSwitch", "resourceGroup"}, + Required: []string{"managedNames", "limitSecretReferences", "privateKeyFile", "publicKeyFiles", "masterCA"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1.AlibabaResourceReference", "github.com/openshift/api/machine/v1.BandwidthProperties", "github.com/openshift/api/machine/v1.DataDiskProperties", "github.com/openshift/api/machine/v1.SystemDiskProperties", "github.com/openshift/api/machine/v1.Tag", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1_AlibabaCloudMachineProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ServiceServingCert(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AlibabaCloudMachineProviderConfigList contains a list of AlibabaCloudMachineProviderConfig Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for pods fulfilling a service to serve with.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), - }, - }, - "items": { + "signer": { SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.AlibabaCloudMachineProviderConfig"), - }, - }, - }, + Description: "signer holds the signing information used to automatically sign serving certificates. If this value is nil, then certs are not signed automatically.", + Ref: ref("github.com/openshift/api/legacyconfig/v1.CertInfo"), }, }, }, - Required: []string{"items"}, + Required: []string{"signer"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1.AlibabaCloudMachineProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + "github.com/openshift/api/legacyconfig/v1.CertInfo"}, } } -func schema_openshift_api_machine_v1_AlibabaCloudMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_ServingInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AlibabaCloudMachineProviderStatus is the Schema for the alibabacloudmachineproviderconfig API Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "ServingInfo holds information about serving web pages", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "bindAddress": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "bindAddress is the ip:port to serve on", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "bindNetwork": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "bindNetwork is the type of network to bind to - defaults to \"tcp4\", accepts \"tcp\", \"tcp4\", and \"tcp6\"", + Default: "", Type: []string{"string"}, Format: "", }, }, - "metadata": { + "certFile": { SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + Description: "certFile is a file containing a PEM-encoded certificate", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "instanceId": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "instanceId is the instance ID of the machine created in alibabacloud", + Description: "keyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile", + Default: "", Type: []string{"string"}, Format: "", }, }, - "instanceState": { + "clientCA": { SchemaProps: spec.SchemaProps{ - Description: "instanceState is the state of the alibabacloud instance for this machine", + Description: "clientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates", + Default: "", Type: []string{"string"}, Format: "", }, }, - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - }, - }, + "namedCertificates": { SchemaProps: spec.SchemaProps{ - Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", + Description: "namedCertificates is a list of certificates to use to secure requests to specific hostnames", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + Ref: ref("github.com/openshift/api/legacyconfig/v1.NamedCertificate"), }, }, }, }, }, - }, - }, - }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, - } -} - -func schema_openshift_api_machine_v1_AlibabaResourceReference(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ResourceTagReference is a reference to a specific AlibabaCloud resource by ID, or tags. Only one of ID or Tags may be specified. Specifying more than one will result in a validation error.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "type": { - SchemaProps: spec.SchemaProps{ - Description: "type identifies the resource reference type for this entry.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "id": { - SchemaProps: spec.SchemaProps{ - Description: "id of resource", - Type: []string{"string"}, - Format: "", - }, - }, - "name": { + "minTLSVersion": { SchemaProps: spec.SchemaProps{ - Description: "name of the resource", + Description: "minTLSVersion is the minimum TLS version supported. Values must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants", Type: []string{"string"}, Format: "", }, }, - "tags": { + "cipherSuites": { SchemaProps: spec.SchemaProps{ - Description: "tags is a set of metadata based upon ECS object tags used to identify a resource. For details about usage when multiple resources are found, please see the owning parent field documentation.", + Description: "cipherSuites contains an overridden list of ciphers for the server to support. Values must match cipher suite IDs from https://golang.org/pkg/crypto/tls/#pkg-constants", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.Tag"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, }, - Required: []string{"type"}, + Required: []string{"bindAddress", "bindNetwork", "certFile", "keyFile", "clientCA", "namedCertificates"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1.Tag"}, + "github.com/openshift/api/legacyconfig/v1.NamedCertificate"}, } } -func schema_openshift_api_machine_v1_AzureFailureDomain(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_SessionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AzureFailureDomain configures failure domain information for the Azure platform.", + Description: "SessionConfig specifies options for cookie-based sessions. Used by AuthRequestHandlerSession", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "zone": { + "sessionSecretsFile": { SchemaProps: spec.SchemaProps{ - Description: "Availability Zone for the virtual machine. If nil, the virtual machine should be deployed to no zone.", + Description: "sessionSecretsFile is a reference to a file containing a serialized SessionSecrets object If no file is specified, a random signing and encryption key are generated at each server start", Default: "", Type: []string{"string"}, Format: "", }, }, - "subnet": { - SchemaProps: spec.SchemaProps{ - Description: "subnet is the name of the network subnet in which the VM will be created. When omitted, the subnet value from the machine providerSpec template will be used.", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"zone"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1_BandwidthProperties(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "Bandwidth describes the bandwidth strategy for the network of the instance", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "internetMaxBandwidthIn": { + "sessionMaxAgeSeconds": { SchemaProps: spec.SchemaProps{ - Description: "internetMaxBandwidthIn is the maximum inbound public bandwidth. Unit: Mbit/s. Valid values: When the purchased outbound public bandwidth is less than or equal to 10 Mbit/s, the valid values of this parameter are 1 to 10. Currently the default is `10` when outbound bandwidth is less than or equal to 10 Mbit/s. When the purchased outbound public bandwidth is greater than 10, the valid values are 1 to the InternetMaxBandwidthOut value. Currently the default is the value used for `InternetMaxBandwidthOut` when outbound public bandwidth is greater than 10.", + Description: "sessionMaxAgeSeconds specifies how long created sessions last. Used by AuthRequestHandlerSession", + Default: 0, Type: []string{"integer"}, - Format: "int64", + Format: "int32", }, }, - "internetMaxBandwidthOut": { + "sessionName": { SchemaProps: spec.SchemaProps{ - Description: "internetMaxBandwidthOut is the maximum outbound public bandwidth. Unit: Mbit/s. Valid values: 0 to 100. When a value greater than 0 is used then a public IP address is assigned to the instance. Empty value means no opinion and the platform chooses the a default, which is subject to change over time. Currently the default is `0`", - Type: []string{"integer"}, - Format: "int64", + Description: "sessionName is the cookie name used to store the session", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, + Required: []string{"sessionSecretsFile", "sessionMaxAgeSeconds", "sessionName"}, }, }, } } -func schema_openshift_api_machine_v1_ControlPlaneMachineSet(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_SessionSecret(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ControlPlaneMachineSet ensures that a specified number of control plane machine replicas are running at any given time. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "SessionSecret is a secret used to authenticate/decrypt cookie-based sessions", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "authentication": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "authentication is used to authenticate sessions using HMAC. Recommended to use a secret with 32 or 64 bytes.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "encryption": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "encryption is used to encrypt sessions. Must be 16, 24, or 32 characters long, to select AES-128, AES-", + Default: "", Type: []string{"string"}, Format: "", }, }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), - }, - }, - "spec": { - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.ControlPlaneMachineSetSpec"), - }, - }, - "status": { - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.ControlPlaneMachineSetStatus"), - }, - }, }, + Required: []string{"authentication", "encryption"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1.ControlPlaneMachineSetSpec", "github.com/openshift/api/machine/v1.ControlPlaneMachineSetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1_ControlPlaneMachineSetList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_SessionSecrets(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ControlPlaneMachineSetList contains a list of ControlPlaneMachineSet Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "SessionSecrets list the secrets to use to sign/encrypt and authenticate/decrypt created sessions.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -33819,501 +34583,494 @@ func schema_openshift_api_machine_v1_ControlPlaneMachineSetList(ref common.Refer Format: "", }, }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), - }, - }, - "items": { + "secrets": { SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, + Description: "secrets is a list of secrets New sessions are signed and encrypted using the first secret. Existing sessions are decrypted/authenticated by each secret until one succeeds. This allows rotating secrets.", + Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.ControlPlaneMachineSet"), + Ref: ref("github.com/openshift/api/legacyconfig/v1.SessionSecret"), }, }, }, }, }, }, - Required: []string{"items"}, + Required: []string{"secrets"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1.ControlPlaneMachineSet", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + "github.com/openshift/api/legacyconfig/v1.SessionSecret"}, } } -func schema_openshift_api_machine_v1_ControlPlaneMachineSetSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_SourceStrategyDefaultsConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ControlPlaneMachineSet represents the configuration of the ControlPlaneMachineSet.", + Description: "SourceStrategyDefaultsConfig contains values that apply to builds using the source strategy.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "machineNamePrefix": { + "incremental": { SchemaProps: spec.SchemaProps{ - Description: "machineNamePrefix is the prefix used when creating machine names. Each machine name will consist of this prefix, followed by a randomly generated string of 5 characters, and the index of the machine. It must be a lowercase RFC 1123 subdomain, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.'). Each block, separated by periods, must start and end with an alphanumeric character. Hyphens are not allowed at the start or end of a block, and consecutive periods are not permitted. The prefix must be between 1 and 245 characters in length. For example, if machineNamePrefix is set to 'control-plane', and three machines are created, their names might be: control-plane-abcde-0, control-plane-fghij-1, control-plane-klmno-2", - Type: []string{"string"}, + Description: "incremental indicates if s2i build strategies should perform an incremental build or not", + Type: []string{"boolean"}, Format: "", }, }, - "state": { + }, + }, + }, + } +} + +func schema_openshift_api_legacyconfig_v1_StringSource(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "StringSource allows specifying a string inline, or externally via env var or file. When it contains only a string value, it marshals to a simple JSON string.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "value": { SchemaProps: spec.SchemaProps{ - Description: "state defines whether the ControlPlaneMachineSet is Active or Inactive. When Inactive, the ControlPlaneMachineSet will not take any action on the state of the Machines within the cluster. When Active, the ControlPlaneMachineSet will reconcile the Machines and will update the Machines as necessary. Once Active, a ControlPlaneMachineSet cannot be made Inactive. To prevent further action please remove the ControlPlaneMachineSet.", - Default: "Inactive", + Description: "value specifies the cleartext value, or an encrypted value if keyFile is specified.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "replicas": { - SchemaProps: spec.SchemaProps{ - Description: "replicas defines how many Control Plane Machines should be created by this ControlPlaneMachineSet. This field is immutable and cannot be changed after cluster installation. The ControlPlaneMachineSet only operates with 3 or 5 node control planes, 3 and 5 are the only valid values for this field.", - Type: []string{"integer"}, - Format: "int32", - }, - }, - "strategy": { + "env": { SchemaProps: spec.SchemaProps{ - Description: "strategy defines how the ControlPlaneMachineSet will update Machines when it detects a change to the ProviderSpec.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.ControlPlaneMachineSetStrategy"), + Description: "env specifies an envvar containing the cleartext value, or an encrypted value if the keyFile is specified.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "selector": { + "file": { SchemaProps: spec.SchemaProps{ - Description: "Label selector for Machines. Existing Machines selected by this selector will be the ones affected by this ControlPlaneMachineSet. It must match the template's labels. This field is considered immutable after creation of the resource.", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + Description: "file references a file containing the cleartext value, or an encrypted value if a keyFile is specified.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "template": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "template describes the Control Plane Machines that will be created by this ControlPlaneMachineSet.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.ControlPlaneMachineSetTemplate"), + Description: "keyFile references a file containing the key to use to decrypt the value.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"replicas", "selector", "template"}, + Required: []string{"value", "env", "file", "keyFile"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1.ControlPlaneMachineSetStrategy", "github.com/openshift/api/machine/v1.ControlPlaneMachineSetTemplate", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"}, } } -func schema_openshift_api_machine_v1_ControlPlaneMachineSetStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_StringSourceSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ControlPlaneMachineSetStatus represents the status of the ControlPlaneMachineSet CRD.", + Description: "StringSourceSpec specifies a string value, or external location", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - }, + "value": { + SchemaProps: spec.SchemaProps{ + Description: "value specifies the cleartext value, or an encrypted value if keyFile is specified.", + Default: "", + Type: []string{"string"}, + Format: "", }, + }, + "env": { SchemaProps: spec.SchemaProps{ - Description: "conditions represents the observations of the ControlPlaneMachineSet's current state. Known .status.conditions.type are: Available, Degraded and Progressing.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), - }, - }, - }, + Description: "env specifies an envvar containing the cleartext value, or an encrypted value if the keyFile is specified.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "observedGeneration": { + "file": { SchemaProps: spec.SchemaProps{ - Description: "observedGeneration is the most recent generation observed for this ControlPlaneMachineSet. It corresponds to the ControlPlaneMachineSets's generation, which is updated on mutation by the API Server.", - Type: []string{"integer"}, - Format: "int64", + Description: "file references a file containing the cleartext value, or an encrypted value if a keyFile is specified.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "replicas": { + "keyFile": { SchemaProps: spec.SchemaProps{ - Description: "replicas is the number of Control Plane Machines created by the ControlPlaneMachineSet controller. Note that during update operations this value may differ from the desired replica count.", - Type: []string{"integer"}, - Format: "int32", + Description: "keyFile references a file containing the key to use to decrypt the value.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "readyReplicas": { + }, + Required: []string{"value", "env", "file", "keyFile"}, + }, + }, + } +} + +func schema_openshift_api_legacyconfig_v1_TokenConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "TokenConfig holds the necessary configuration options for authorization and access tokens", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "authorizeTokenMaxAgeSeconds": { SchemaProps: spec.SchemaProps{ - Description: "readyReplicas is the number of Control Plane Machines created by the ControlPlaneMachineSet controller which are ready. Note that this value may be higher than the desired number of replicas while rolling updates are in-progress.", + Description: "authorizeTokenMaxAgeSeconds defines the maximum age of authorize tokens", + Default: 0, Type: []string{"integer"}, Format: "int32", }, }, - "updatedReplicas": { + "accessTokenMaxAgeSeconds": { SchemaProps: spec.SchemaProps{ - Description: "updatedReplicas is the number of non-terminated Control Plane Machines created by the ControlPlaneMachineSet controller that have the desired provider spec and are ready. This value is set to 0 when a change is detected to the desired spec. When the update strategy is RollingUpdate, this will also coincide with starting the process of updating the Machines. When the update strategy is OnDelete, this value will remain at 0 until a user deletes an existing replica and its replacement has become ready.", + Description: "accessTokenMaxAgeSeconds defines the maximum age of access tokens", + Default: 0, Type: []string{"integer"}, Format: "int32", }, }, - "unavailableReplicas": { + "accessTokenInactivityTimeoutSeconds": { SchemaProps: spec.SchemaProps{ - Description: "unavailableReplicas is the number of Control Plane Machines that are still required before the ControlPlaneMachineSet reaches the desired available capacity. When this value is non-zero, the number of ReadyReplicas is less than the desired Replicas.", + Description: "accessTokenInactivityTimeoutSeconds defined the default token inactivity timeout for tokens granted by any client. Setting it to nil means the feature is completely disabled (default) The default setting can be overridden on OAuthClient basis. The value represents the maximum amount of time that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. The user will need to acquire a new token to regain access once a token times out. Valid values are: - 0: Tokens never time out - X: Tokens time out if there is no activity for X seconds The current minimum allowed value for X is 300 (5 minutes)", Type: []string{"integer"}, Format: "int32", }, }, }, + Required: []string{"authorizeTokenMaxAgeSeconds", "accessTokenMaxAgeSeconds"}, }, }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } -func schema_openshift_api_machine_v1_ControlPlaneMachineSetStrategy(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_UserAgentDenyRule(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ControlPlaneMachineSetStrategy defines the strategy for applying updates to the Control Plane Machines managed by the ControlPlaneMachineSet.", + Description: "UserAgentDenyRule adds a rejection message that can be used to help a user figure out how to get an approved client", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "type": { + "regex": { SchemaProps: spec.SchemaProps{ - Description: "type defines the type of update strategy that should be used when updating Machines owned by the ControlPlaneMachineSet. Valid values are \"RollingUpdate\" and \"OnDelete\". The current default value is \"RollingUpdate\".", - Default: "RollingUpdate", + Description: "UserAgentRegex is a regex that is checked against the User-Agent. Known variants of oc clients 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "httpVerbs": { + SchemaProps: spec.SchemaProps{ + Description: "httpVerbs specifies which HTTP verbs should be matched. An empty list means \"match all verbs\".", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "rejectionMessage": { + SchemaProps: spec.SchemaProps{ + Description: "rejectionMessage is the message shown when rejecting a client. If it is not a set, the default message is used.", + Default: "", Type: []string{"string"}, Format: "", }, }, }, + Required: []string{"regex", "httpVerbs", "rejectionMessage"}, }, }, } } -func schema_openshift_api_machine_v1_ControlPlaneMachineSetTemplate(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_UserAgentMatchRule(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ControlPlaneMachineSetTemplate is a template used by the ControlPlaneMachineSet to create the Machines that it will manage in the future.", + Description: "UserAgentMatchRule describes how to match a given request based on User-Agent and HTTPVerb", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "machineType": { + "regex": { SchemaProps: spec.SchemaProps{ - Description: "machineType determines the type of Machines that should be managed by the ControlPlaneMachineSet. Currently, the only valid value is machines_v1beta1_machine_openshift_io.", + Description: "UserAgentRegex is a regex that is checked against the User-Agent. Known variants of oc clients 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f", + Default: "", Type: []string{"string"}, Format: "", }, }, - "machines_v1beta1_machine_openshift_io": { + "httpVerbs": { SchemaProps: spec.SchemaProps{ - Description: "OpenShiftMachineV1Beta1Machine defines the template for creating Machines from the v1beta1.machine.openshift.io API group.", - Ref: ref("github.com/openshift/api/machine/v1.OpenShiftMachineV1Beta1MachineTemplate"), - }, - }, - }, - Required: []string{"machineType"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "machineType", - "fields-to-discriminateBy": map[string]interface{}{ - "machines_v1beta1_machine_openshift_io": "OpenShiftMachineV1Beta1Machine", + Description: "httpVerbs specifies which HTTP verbs should be matched. An empty list means \"match all verbs\".", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, }, }, }, }, + Required: []string{"regex", "httpVerbs"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1.OpenShiftMachineV1Beta1MachineTemplate"}, } } -func schema_openshift_api_machine_v1_ControlPlaneMachineSetTemplateObjectMeta(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_UserAgentMatchingConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ControlPlaneMachineSetTemplateObjectMeta is a subset of the metav1.ObjectMeta struct. It allows users to specify labels and annotations that will be copied onto Machines created from this template.", + Description: "UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "labels": { + "requiredClients": { SchemaProps: spec.SchemaProps{ - Description: "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels. This field must contain both the 'machine.openshift.io/cluster-api-machine-role' and 'machine.openshift.io/cluster-api-machine-type' labels, both with a value of 'master'. It must also contain a label with the key 'machine.openshift.io/cluster-api-cluster'.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, + Description: "If this list is non-empty, then a User-Agent must match one of the UserAgentRegexes to be allowed", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.UserAgentMatchRule"), }, }, }, }, }, - "annotations": { + "deniedClients": { SchemaProps: spec.SchemaProps{ - Description: "annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, + Description: "If this list is non-empty, then a User-Agent must not match any of the UserAgentRegexes", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/legacyconfig/v1.UserAgentDenyRule"), }, }, }, }, }, + "defaultRejectionMessage": { + SchemaProps: spec.SchemaProps{ + Description: "defaultRejectionMessage is the message shown when rejecting a client. If it is not a set, a generic message is given.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, }, - Required: []string{"labels"}, + Required: []string{"requiredClients", "deniedClients", "defaultRejectionMessage"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/legacyconfig/v1.UserAgentDenyRule", "github.com/openshift/api/legacyconfig/v1.UserAgentMatchRule"}, } } -func schema_openshift_api_machine_v1_DataDiskProperties(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_legacyconfig_v1_WebhookTokenAuthenticator(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "DataDisk contains the information regarding the datadisk attached to an instance", + Description: "WebhookTokenAuthenticators holds the necessary configuation options for external token authenticators", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "Name": { - SchemaProps: spec.SchemaProps{ - Description: "Name is the name of data disk N. If the name is specified the name must be 2 to 128 characters in length. It must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-).\n\nEmpty value means the platform chooses a default, which is subject to change over time. Currently the default is `\"\"`.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "SnapshotID": { - SchemaProps: spec.SchemaProps{ - Description: "SnapshotID is the ID of the snapshot used to create data disk N. Valid values of N: 1 to 16.\n\nWhen the DataDisk.N.SnapshotID parameter is specified, the DataDisk.N.Size parameter is ignored. The data disk is created based on the size of the specified snapshot. Use snapshots created after July 15, 2013. Otherwise, an error is returned and your request is rejected.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "Size": { - SchemaProps: spec.SchemaProps{ - Description: "Size of the data disk N. Valid values of N: 1 to 16. Unit: GiB. Valid values:\n\nValid values when DataDisk.N.Category is set to cloud_efficiency: 20 to 32768 Valid values when DataDisk.N.Category is set to cloud_ssd: 20 to 32768 Valid values when DataDisk.N.Category is set to cloud_essd: 20 to 32768 Valid values when DataDisk.N.Category is set to cloud: 5 to 2000 The value of this parameter must be greater than or equal to the size of the snapshot specified by the SnapshotID parameter.", - Default: 0, - Type: []string{"integer"}, - Format: "int64", - }, - }, - "DiskEncryption": { + "configFile": { SchemaProps: spec.SchemaProps{ - Description: "DiskEncryption specifies whether to encrypt data disk N.\n\nEmpty value means the platform chooses a default, which is subject to change over time. Currently the default is `disabled`.", + Description: "configFile is a path to a Kubeconfig file with the webhook configuration", Default: "", Type: []string{"string"}, Format: "", }, }, - "PerformanceLevel": { + "cacheTTL": { SchemaProps: spec.SchemaProps{ - Description: "PerformanceLevel is the performance level of the ESSD used as as data disk N. The N value must be the same as that in DataDisk.N.Category when DataDisk.N.Category is set to cloud_essd. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is `PL1`. Valid values:\n\nPL0: A single ESSD can deliver up to 10,000 random read/write IOPS. PL1: A single ESSD can deliver up to 50,000 random read/write IOPS. PL2: A single ESSD can deliver up to 100,000 random read/write IOPS. PL3: A single ESSD can deliver up to 1,000,000 random read/write IOPS. For more information about ESSD performance levels, see ESSDs.", + Description: "cacheTTL indicates how long an authentication result should be cached. It takes a valid time duration string (e.g. \"5m\"). If empty, you get a default timeout of 2 minutes. If zero (e.g. \"0m\"), caching is disabled", Default: "", Type: []string{"string"}, Format: "", }, }, - "Category": { + }, + Required: []string{"configFile", "cacheTTL"}, + }, + }, + } +} + +func schema_openshift_api_machine_v1_AWSFailureDomain(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "AWSFailureDomain configures failure domain information for the AWS platform.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "subnet": { SchemaProps: spec.SchemaProps{ - Description: "Category describes the type of data disk N. Valid values: cloud_efficiency: ultra disk cloud_ssd: standard SSD cloud_essd: ESSD cloud: basic disk Empty value means no opinion and the platform chooses the a default, which is subject to change over time. Currently for non-I/O optimized instances of retired instance types, the default is `cloud`. Currently for other instances, the default is `cloud_efficiency`.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "subnet is a reference to the subnet to use for this instance.", + Ref: ref("github.com/openshift/api/machine/v1.AWSResourceReference"), }, }, - "KMSKeyID": { + "placement": { SchemaProps: spec.SchemaProps{ - Description: "KMSKeyID is the ID of the Key Management Service (KMS) key to be used by data disk N. Empty value means no opinion and the platform chooses the a default, which is subject to change over time. Currently the default is `\"\"` which is interpreted as do not use KMSKey encryption.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "placement configures the placement information for this instance.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.AWSFailureDomainPlacement"), }, }, - "DiskPreservation": { + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1.AWSFailureDomainPlacement", "github.com/openshift/api/machine/v1.AWSResourceReference"}, + } +} + +func schema_openshift_api_machine_v1_AWSFailureDomainPlacement(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "AWSFailureDomainPlacement configures the placement information for the AWSFailureDomain.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "availabilityZone": { SchemaProps: spec.SchemaProps{ - Description: "DiskPreservation specifies whether to release data disk N along with the instance. Empty value means no opinion and the platform chooses the a default, which is subject to change over time. Currently the default is `DeleteWithInstance`", + Description: "availabilityZone is the availability zone of the instance.", Default: "", Type: []string{"string"}, Format: "", }, }, }, + Required: []string{"availabilityZone"}, }, }, } } -func schema_openshift_api_machine_v1_FailureDomains(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_AWSResourceFilter(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "FailureDomain represents the different configurations required to spread Machines across failure domains on different platforms.", + Description: "AWSResourceFilter is a filter used to identify an AWS resource", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "platform": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "platform identifies the platform for which the FailureDomain represents. Currently supported values are AWS, Azure, GCP, OpenStack, VSphere and Nutanix.", + Description: "name of the filter. Filter names are case-sensitive.", Default: "", Type: []string{"string"}, Format: "", }, }, - "aws": { + "values": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ "x-kubernetes-list-type": "atomic", }, }, SchemaProps: spec.SchemaProps{ - Description: "aws configures failure domain information for the AWS platform.", + Description: "values includes one or more filter values. Filter values are case-sensitive.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.AWSFailureDomain"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "azure": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, + }, + Required: []string{"name"}, + }, + }, + } +} + +func schema_openshift_api_machine_v1_AWSResourceReference(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "AWSResourceReference is a reference to a specific AWS resource by ID, ARN, or filters. Only one of ID, ARN or Filters may be specified. Specifying more than one will result in a validation error.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { SchemaProps: spec.SchemaProps{ - Description: "azure configures failure domain information for the Azure platform.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.AzureFailureDomain"), - }, - }, - }, + Description: "type determines how the reference will fetch the AWS resource.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "gcp": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, + "id": { SchemaProps: spec.SchemaProps{ - Description: "gcp configures failure domain information for the GCP platform.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.GCPFailureDomain"), - }, - }, - }, + Description: "id of resource.", + Type: []string{"string"}, + Format: "", }, }, - "vsphere": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - }, - "x-kubernetes-list-type": "map", - }, - }, + "arn": { SchemaProps: spec.SchemaProps{ - Description: "vsphere configures failure domain information for the VSphere platform.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.VSphereFailureDomain"), - }, - }, - }, + Description: "arn of resource.", + Type: []string{"string"}, + Format: "", }, }, - "openstack": { + "filters": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ "x-kubernetes-list-type": "atomic", }, }, SchemaProps: spec.SchemaProps{ - Description: "openstack configures failure domain information for the OpenStack platform.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.OpenStackFailureDomain"), - }, - }, - }, - }, - }, - "nutanix": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - }, - "x-kubernetes-list-type": "map", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "nutanix configures failure domain information for the Nutanix platform.", + Description: "filters is a set of filters used to identify a resource.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.NutanixFailureDomainReference"), + Ref: ref("github.com/openshift/api/machine/v1.AWSResourceFilter"), }, }, }, }, }, }, - Required: []string{"platform"}, + Required: []string{"type"}, }, VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ "x-kubernetes-unions": []interface{}{ map[string]interface{}{ - "discriminator": "platform", + "discriminator": "type", "fields-to-discriminateBy": map[string]interface{}{ - "aws": "AWS", - "azure": "Azure", - "gcp": "GCP", - "nutanix": "Nutanix", - "openstack": "OpenStack", - "vsphere": "VSphere", + "arn": "ARN", + "filters": "Filters", + "id": "ID", }, }, }, @@ -34321,168 +35078,188 @@ func schema_openshift_api_machine_v1_FailureDomains(ref common.ReferenceCallback }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1.AWSFailureDomain", "github.com/openshift/api/machine/v1.AzureFailureDomain", "github.com/openshift/api/machine/v1.GCPFailureDomain", "github.com/openshift/api/machine/v1.NutanixFailureDomainReference", "github.com/openshift/api/machine/v1.OpenStackFailureDomain", "github.com/openshift/api/machine/v1.VSphereFailureDomain"}, + "github.com/openshift/api/machine/v1.AWSResourceFilter"}, } } -func schema_openshift_api_machine_v1_GCPFailureDomain(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_AlibabaCloudMachineProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GCPFailureDomain configures failure domain information for the GCP platform", + Description: "AlibabaCloudMachineProviderConfig is the Schema for the alibabacloudmachineproviderconfig API Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "zone": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "zone is the zone in which the GCP machine provider will create the VM.", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"zone"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1_LoadBalancerReference(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "LoadBalancerReference is a reference to a load balancer on IBM Cloud virtual private cloud(VPC).", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "name": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "name of the LoadBalancer in IBM Cloud VPC. The name should be between 1 and 63 characters long and may consist of lowercase alphanumeric characters and hyphens only. The value must not end with a hyphen. It is a reference to existing LoadBalancer created by openshift installer component.", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "instanceType": { + SchemaProps: spec.SchemaProps{ + Description: "The instance type of the instance.", Default: "", Type: []string{"string"}, Format: "", }, }, - "type": { + "vpcId": { SchemaProps: spec.SchemaProps{ - Description: "type of the LoadBalancer service supported by IBM Cloud VPC. Currently, only Application LoadBalancer is supported. More details about Application LoadBalancer https://cloud.ibm.com/docs/vpc?topic=vpc-load-balancers-about&interface=ui Supported values are Application.", + Description: "The ID of the vpc", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"name", "type"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1_NutanixCategory(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "NutanixCategory identifies a pair of prism category key and value", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "key": { + "regionId": { SchemaProps: spec.SchemaProps{ - Description: "key is the prism category key name", + Description: "The ID of the region in which to create the instance. You can call the DescribeRegions operation to query the most recent region list.", Default: "", Type: []string{"string"}, Format: "", }, }, - "value": { + "zoneId": { SchemaProps: spec.SchemaProps{ - Description: "value is the prism category value associated with the key", + Description: "The ID of the zone in which to create the instance. You can call the DescribeZones operation to query the most recent region list.", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"key", "value"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1_NutanixFailureDomainReference(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "NutanixFailureDomainReference refers to the failure domain of the Nutanix platform.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "name": { + "imageId": { SchemaProps: spec.SchemaProps{ - Description: "name of the failure domain in which the nutanix machine provider will create the VM. Failure domains are defined in a cluster's config.openshift.io/Infrastructure resource.", + Description: "The ID of the image used to create the instance.", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"name"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1_NutanixGPU(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "NutanixGPU holds the identity of a Nutanix GPU resource in the Prism Central", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "type": { + "dataDisk": { + SchemaProps: spec.SchemaProps{ + Description: "DataDisks holds information regarding the extra disks attached to the instance", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.DataDiskProperties"), + }, + }, + }, + }, + }, + "securityGroups": { + SchemaProps: spec.SchemaProps{ + Description: "securityGroups is a list of security group references to assign to the instance. A reference holds either the security group ID, the resource name, or the required tags to search. When more than one security group is returned for a tag search, all the groups are associated with the instance up to the maximum number of security groups to which an instance can belong. For more information, see the \"Security group limits\" section in Limits. https://www.alibabacloud.com/help/en/doc-detail/25412.htm", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.AlibabaResourceReference"), + }, + }, + }, + }, + }, + "bandwidth": { + SchemaProps: spec.SchemaProps{ + Description: "bandwidth describes the internet bandwidth strategy for the instance", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.BandwidthProperties"), + }, + }, + "systemDisk": { + SchemaProps: spec.SchemaProps{ + Description: "systemDisk holds the properties regarding the system disk for the instance", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.SystemDiskProperties"), + }, + }, + "vSwitch": { + SchemaProps: spec.SchemaProps{ + Description: "vSwitch is a reference to the vswitch to use for this instance. A reference holds either the vSwitch ID, the resource name, or the required tags to search. When more than one vSwitch is returned for a tag search, only the first vSwitch returned will be used. This parameter is required when you create an instance of the VPC type. You can call the DescribeVSwitches operation to query the created vSwitches.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.AlibabaResourceReference"), + }, + }, + "ramRoleName": { SchemaProps: spec.SchemaProps{ - Description: "type is the identifier type of the GPU device. Valid values are Name and DeviceID.", - Default: "", + Description: "ramRoleName is the name of the instance Resource Access Management (RAM) role. This allows the instance to perform API calls as this specified RAM role.", Type: []string{"string"}, Format: "", }, }, - "deviceID": { + "resourceGroup": { SchemaProps: spec.SchemaProps{ - Description: "deviceID is the GPU device ID with the integer value.", - Type: []string{"integer"}, - Format: "int32", + Description: "resourceGroup references the resource group to which to assign the instance. A reference holds either the resource group ID, the resource name, or the required tags to search. When more than one resource group are returned for a search, an error will be produced and the Machine will not be created. Resource Groups do not support searching by tags.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.AlibabaResourceReference"), }, }, - "name": { + "tenancy": { SchemaProps: spec.SchemaProps{ - Description: "name is the GPU device name", + Description: "tenancy specifies whether to create the instance on a dedicated host. Valid values:\n\ndefault: creates the instance on a non-dedicated host. host: creates the instance on a dedicated host. If you do not specify the DedicatedHostID parameter, Alibaba Cloud automatically selects a dedicated host for the instance. Empty value means no opinion and the platform chooses the a default, which is subject to change over time. Currently the default is `default`.", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"type"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "type", - "fields-to-discriminateBy": map[string]interface{}{ - "deviceID": "DeviceID", - "name": "Name", + "userDataSecret": { + SchemaProps: spec.SchemaProps{ + Description: "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", + Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + }, + }, + "credentialsSecret": { + SchemaProps: spec.SchemaProps{ + Description: "credentialsSecret is a reference to the secret with alibabacloud credentials. Otherwise, defaults to permissions provided by attached RAM role where the actuator is running.", + Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + }, + }, + "tag": { + SchemaProps: spec.SchemaProps{ + Description: "Tags are the set of metadata to add to an instance.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.Tag"), + }, + }, }, }, }, }, + Required: []string{"instanceType", "vpcId", "regionId", "zoneId", "imageId", "vSwitch", "resourceGroup"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1.AlibabaResourceReference", "github.com/openshift/api/machine/v1.BandwidthProperties", "github.com/openshift/api/machine/v1.DataDiskProperties", "github.com/openshift/api/machine/v1.SystemDiskProperties", "github.com/openshift/api/machine/v1.Tag", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1_NutanixMachineProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_AlibabaCloudMachineProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "NutanixMachineProviderConfig is the Schema for the nutanixmachineproviderconfigs API Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "AlibabaCloudMachineProviderConfigList contains a list of AlibabaCloudMachineProviderConfig Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -34501,174 +35278,218 @@ func schema_openshift_api_machine_v1_NutanixMachineProviderConfig(ref common.Ref }, "metadata": { SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), - }, - }, - "cluster": { - SchemaProps: spec.SchemaProps{ - Description: "cluster is to identify the cluster (the Prism Element under management of the Prism Central), in which the Machine's VM will be created. The cluster identifier (uuid or name) can be obtained from the Prism Central console or using the prism_central API.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.NutanixResourceIdentifier"), - }, - }, - "image": { - SchemaProps: spec.SchemaProps{ - Description: "image is to identify the rhcos image uploaded to the Prism Central (PC) The image identifier (uuid or name) can be obtained from the Prism Central console or using the prism_central API.", + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.NutanixResourceIdentifier"), + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), }, }, - "subnets": { + "items": { SchemaProps: spec.SchemaProps{ - Description: "subnets holds a list of identifiers (one or more) of the cluster's network subnets for the Machine's VM to connect to. The subnet identifiers (uuid or name) can be obtained from the Prism Central console or using the prism_central API.", - Type: []string{"array"}, + Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.NutanixResourceIdentifier"), + Ref: ref("github.com/openshift/api/machine/v1.AlibabaCloudMachineProviderConfig"), }, }, }, }, }, - "vcpusPerSocket": { - SchemaProps: spec.SchemaProps{ - Description: "vcpusPerSocket is the number of vCPUs per socket of the VM", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "vcpuSockets": { + }, + Required: []string{"items"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1.AlibabaCloudMachineProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_openshift_api_machine_v1_AlibabaCloudMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "AlibabaCloudMachineProviderStatus is the Schema for the alibabacloudmachineproviderconfig API Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { SchemaProps: spec.SchemaProps{ - Description: "vcpuSockets is the number of vCPU sockets of the VM", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", }, }, - "memorySize": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "memorySize is the memory size (in Quantity format) of the VM The minimum memorySize is 2Gi bytes", - Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, - "systemDiskSize": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "systemDiskSize is size (in Quantity format) of the system disk of the VM The minimum systemDiskSize is 20Gi bytes", - Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, - "bootType": { + "instanceId": { SchemaProps: spec.SchemaProps{ - Description: "bootType indicates the boot type (Legacy, UEFI or SecureBoot) the Machine's VM uses to boot. If this field is empty or omitted, the VM will use the default boot type \"Legacy\" to boot. \"SecureBoot\" depends on \"UEFI\" boot, i.e., enabling \"SecureBoot\" means that \"UEFI\" boot is also enabled.", - Default: "", + Description: "instanceId is the instance ID of the machine created in alibabacloud", Type: []string{"string"}, Format: "", }, }, - "project": { + "instanceState": { SchemaProps: spec.SchemaProps{ - Description: "project optionally identifies a Prism project for the Machine's VM to associate with.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.NutanixResourceIdentifier"), + Description: "instanceState is the state of the alibabacloud instance for this machine", + Type: []string{"string"}, + Format: "", }, }, - "categories": { + "conditions": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ "x-kubernetes-list-map-keys": []interface{}{ - "key", + "type", }, "x-kubernetes-list-type": "map", }, }, SchemaProps: spec.SchemaProps{ - Description: "categories optionally adds one or more prism categories (each with key and value) for the Machine's VM to associate with. All the category key and value pairs specified must already exist in the prism central.", + Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.NutanixCategory"), + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), }, }, }, }, }, - "gpus": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "set", - }, + }, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_machine_v1_AlibabaResourceReference(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ResourceTagReference is a reference to a specific AlibabaCloud resource by ID, or tags. Only one of ID or Tags may be specified. Specifying more than one will result in a validation error.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type identifies the resource reference type for this entry.", + Default: "", + Type: []string{"string"}, + Format: "", }, + }, + "id": { SchemaProps: spec.SchemaProps{ - Description: "gpus is a list of GPU devices to attach to the machine's VM. The GPU devices should already exist in Prism Central and associated with one of the Prism Element's hosts and available for the VM to attach (in \"UNUSED\" status).", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.NutanixGPU"), - }, - }, - }, + Description: "id of resource", + Type: []string{"string"}, + Format: "", }, }, - "dataDisks": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "set", - }, + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name of the resource", + Type: []string{"string"}, + Format: "", }, + }, + "tags": { SchemaProps: spec.SchemaProps{ - Description: "dataDisks holds information of the data disks to attach to the Machine's VM", + Description: "tags is a set of metadata based upon ECS object tags used to identify a resource. For details about usage when multiple resources are found, please see the owning parent field documentation.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.NutanixVMDisk"), + Ref: ref("github.com/openshift/api/machine/v1.Tag"), }, }, }, }, }, - "userDataSecret": { + }, + Required: []string{"type"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1.Tag"}, + } +} + +func schema_openshift_api_machine_v1_AzureFailureDomain(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "AzureFailureDomain configures failure domain information for the Azure platform.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "zone": { SchemaProps: spec.SchemaProps{ - Description: "userDataSecret is a local reference to a secret that contains the UserData to apply to the VM", - Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + Description: "Availability Zone for the virtual machine. If nil, the virtual machine should be deployed to no zone.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "credentialsSecret": { + "subnet": { SchemaProps: spec.SchemaProps{ - Description: "credentialsSecret is a local reference to a secret that contains the credentials data to access Nutanix PC client", - Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + Description: "subnet is the name of the network subnet in which the VM will be created. When omitted, the subnet value from the machine providerSpec template will be used.", + Type: []string{"string"}, + Format: "", }, }, - "failureDomain": { + }, + Required: []string{"zone"}, + }, + }, + } +} + +func schema_openshift_api_machine_v1_BandwidthProperties(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Bandwidth describes the bandwidth strategy for the network of the instance", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "internetMaxBandwidthIn": { SchemaProps: spec.SchemaProps{ - Description: "failureDomain refers to the name of the FailureDomain with which this Machine is associated. If this is configured, the Nutanix machine controller will use the prism_central endpoint and credentials defined in the referenced FailureDomain to communicate to the prism_central. It will also verify that the 'cluster' and subnets' configuration in the NutanixMachineProviderConfig is consistent with that in the referenced failureDomain.", - Ref: ref("github.com/openshift/api/machine/v1.NutanixFailureDomainReference"), + Description: "internetMaxBandwidthIn is the maximum inbound public bandwidth. Unit: Mbit/s. Valid values: When the purchased outbound public bandwidth is less than or equal to 10 Mbit/s, the valid values of this parameter are 1 to 10. Currently the default is `10` when outbound bandwidth is less than or equal to 10 Mbit/s. When the purchased outbound public bandwidth is greater than 10, the valid values are 1 to the InternetMaxBandwidthOut value. Currently the default is the value used for `InternetMaxBandwidthOut` when outbound public bandwidth is greater than 10.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "internetMaxBandwidthOut": { + SchemaProps: spec.SchemaProps{ + Description: "internetMaxBandwidthOut is the maximum outbound public bandwidth. Unit: Mbit/s. Valid values: 0 to 100. When a value greater than 0 is used then a public IP address is assigned to the instance. Empty value means no opinion and the platform chooses the a default, which is subject to change over time. Currently the default is `0`", + Type: []string{"integer"}, + Format: "int64", }, }, }, - Required: []string{"cluster", "image", "subnets", "vcpusPerSocket", "vcpuSockets", "memorySize", "systemDiskSize", "credentialsSecret"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1.NutanixCategory", "github.com/openshift/api/machine/v1.NutanixFailureDomainReference", "github.com/openshift/api/machine/v1.NutanixGPU", "github.com/openshift/api/machine/v1.NutanixResourceIdentifier", "github.com/openshift/api/machine/v1.NutanixVMDisk", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1_NutanixMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_ControlPlaneMachineSet(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "NutanixMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains nutanix-specific status information. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "ControlPlaneMachineSet ensures that a specified number of control plane machine replicas are running at any given time. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -34685,750 +35506,999 @@ func schema_openshift_api_machine_v1_NutanixMachineProviderStatus(ref common.Ref Format: "", }, }, - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, + }, + "spec": { SchemaProps: spec.SchemaProps{ - Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), - }, - }, - }, + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.ControlPlaneMachineSetSpec"), }, }, - "vmUUID": { + "status": { SchemaProps: spec.SchemaProps{ - Description: "vmUUID is the Machine associated VM's UUID The field is missing before the VM is created. Once the VM is created, the field is filled with the VM's UUID and it will not change. The vmUUID is used to find the VM when updating the Machine status, and to delete the VM when the Machine is deleted.", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.ControlPlaneMachineSetStatus"), }, }, }, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + "github.com/openshift/api/machine/v1.ControlPlaneMachineSetSpec", "github.com/openshift/api/machine/v1.ControlPlaneMachineSetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1_NutanixResourceIdentifier(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_ControlPlaneMachineSetList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "NutanixResourceIdentifier holds the identity of a Nutanix PC resource (cluster, image, subnet, etc.)", + Description: "ControlPlaneMachineSetList contains a list of ControlPlaneMachineSet Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "type": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "type is the identifier type to use for this resource.", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "uuid": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "uuid is the UUID of the resource in the PC.", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - "name": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "name is the resource name in the PC", - Type: []string{"string"}, - Format: "", + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), }, }, - }, - Required: []string{"type"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "type", - "fields-to-discriminateBy": map[string]interface{}{ - "name": "Name", - "uuid": "UUID", + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.ControlPlaneMachineSet"), + }, + }, }, }, }, }, + Required: []string{"items"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1.ControlPlaneMachineSet", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_machine_v1_NutanixStorageResourceIdentifier(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_ControlPlaneMachineSetSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "NutanixStorageResourceIdentifier holds the identity of a Nutanix storage resource (storage_container, etc.)", + Description: "ControlPlaneMachineSet represents the configuration of the ControlPlaneMachineSet.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "type": { + "machineNamePrefix": { SchemaProps: spec.SchemaProps{ - Description: "type is the identifier type to use for this resource. The valid value is \"uuid\".", - Default: "", + Description: "machineNamePrefix is the prefix used when creating machine names. Each machine name will consist of this prefix, followed by a randomly generated string of 5 characters, and the index of the machine. It must be a lowercase RFC 1123 subdomain, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.'). Each block, separated by periods, must start and end with an alphanumeric character. Hyphens are not allowed at the start or end of a block, and consecutive periods are not permitted. The prefix must be between 1 and 245 characters in length. For example, if machineNamePrefix is set to 'control-plane', and three machines are created, their names might be: control-plane-abcde-0, control-plane-fghij-1, control-plane-klmno-2", Type: []string{"string"}, Format: "", }, }, - "uuid": { + "state": { SchemaProps: spec.SchemaProps{ - Description: "uuid is the UUID of the storage resource in the PC.", + Description: "state defines whether the ControlPlaneMachineSet is Active or Inactive. When Inactive, the ControlPlaneMachineSet will not take any action on the state of the Machines within the cluster. When Active, the ControlPlaneMachineSet will reconcile the Machines and will update the Machines as necessary. Once Active, a ControlPlaneMachineSet cannot be made Inactive. To prevent further action please remove the ControlPlaneMachineSet.", + Default: "Inactive", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"type"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "type", - "fields-to-discriminateBy": map[string]interface{}{ - "uuid": "UUID", - }, - }, - }, - }, - }, - }, - } -} - -func schema_openshift_api_machine_v1_NutanixVMDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "NutanixDataDisk specifies the VM data disk configuration parameters.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "diskSize": { + "replicas": { SchemaProps: spec.SchemaProps{ - Description: "diskSize is size (in Quantity format) of the disk attached to the VM. See https://pkg.go.dev/k8s.io/apimachinery/pkg/api/resource#Format for the Quantity format and example documentation. The minimum diskSize is 1GB.", - Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), + Description: "replicas defines how many Control Plane Machines should be created by this ControlPlaneMachineSet. This field is immutable and cannot be changed after cluster installation. The ControlPlaneMachineSet only operates with 3 or 5 node control planes, 3 and 5 are the only valid values for this field.", + Type: []string{"integer"}, + Format: "int32", }, }, - "deviceProperties": { + "strategy": { SchemaProps: spec.SchemaProps{ - Description: "deviceProperties are the properties of the disk device.", - Ref: ref("github.com/openshift/api/machine/v1.NutanixVMDiskDeviceProperties"), + Description: "strategy defines how the ControlPlaneMachineSet will update Machines when it detects a change to the ProviderSpec.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.ControlPlaneMachineSetStrategy"), }, }, - "storageConfig": { + "selector": { SchemaProps: spec.SchemaProps{ - Description: "storageConfig are the storage configuration parameters of the VM disks.", - Ref: ref("github.com/openshift/api/machine/v1.NutanixVMStorageConfig"), + Description: "Label selector for Machines. Existing Machines selected by this selector will be the ones affected by this ControlPlaneMachineSet. It must match the template's labels. This field is considered immutable after creation of the resource.", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), }, }, - "dataSource": { + "template": { SchemaProps: spec.SchemaProps{ - Description: "dataSource refers to a data source image for the VM disk.", - Ref: ref("github.com/openshift/api/machine/v1.NutanixResourceIdentifier"), + Description: "template describes the Control Plane Machines that will be created by this ControlPlaneMachineSet.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.ControlPlaneMachineSetTemplate"), }, }, }, - Required: []string{"diskSize"}, + Required: []string{"replicas", "selector", "template"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1.NutanixResourceIdentifier", "github.com/openshift/api/machine/v1.NutanixVMDiskDeviceProperties", "github.com/openshift/api/machine/v1.NutanixVMStorageConfig", "k8s.io/apimachinery/pkg/api/resource.Quantity"}, + "github.com/openshift/api/machine/v1.ControlPlaneMachineSetStrategy", "github.com/openshift/api/machine/v1.ControlPlaneMachineSetTemplate", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"}, } } -func schema_openshift_api_machine_v1_NutanixVMDiskDeviceProperties(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_ControlPlaneMachineSetStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "NutanixVMDiskDeviceProperties specifies the disk device properties.", + Description: "ControlPlaneMachineSetStatus represents the status of the ControlPlaneMachineSet CRD.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "deviceType": { + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "deviceType specifies the disk device type. The valid values are \"Disk\" and \"CDRom\", and the default is \"Disk\".", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "conditions represents the observations of the ControlPlaneMachineSet's current state. Known .status.conditions.type are: Available, Degraded and Progressing.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, }, }, - "adapterType": { + "observedGeneration": { SchemaProps: spec.SchemaProps{ - Description: "adapterType is the adapter type of the disk address. If the deviceType is \"Disk\", the valid adapterType can be \"SCSI\", \"IDE\", \"PCI\", \"SATA\" or \"SPAPR\". If the deviceType is \"CDRom\", the valid adapterType can be \"IDE\" or \"SATA\".", - Type: []string{"string"}, - Format: "", + Description: "observedGeneration is the most recent generation observed for this ControlPlaneMachineSet. It corresponds to the ControlPlaneMachineSets's generation, which is updated on mutation by the API Server.", + Type: []string{"integer"}, + Format: "int64", }, }, - "deviceIndex": { + "replicas": { SchemaProps: spec.SchemaProps{ - Description: "deviceIndex is the index of the disk address. The valid values are non-negative integers, with the default value 0. For a Machine VM, the deviceIndex for the disks with the same deviceType.adapterType combination should start from 0 and increase consecutively afterwards. Note that for each Machine VM, the Disk.SCSI.0 and CDRom.IDE.0 are reserved to be used by the VM's system. So for dataDisks of Disk.SCSI and CDRom.IDE, the deviceIndex should start from 1.", + Description: "replicas is the number of Control Plane Machines created by the ControlPlaneMachineSet controller. Note that during update operations this value may differ from the desired replica count.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "readyReplicas": { + SchemaProps: spec.SchemaProps{ + Description: "readyReplicas is the number of Control Plane Machines created by the ControlPlaneMachineSet controller which are ready. Note that this value may be higher than the desired number of replicas while rolling updates are in-progress.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "updatedReplicas": { + SchemaProps: spec.SchemaProps{ + Description: "updatedReplicas is the number of non-terminated Control Plane Machines created by the ControlPlaneMachineSet controller that have the desired provider spec and are ready. This value is set to 0 when a change is detected to the desired spec. When the update strategy is RollingUpdate, this will also coincide with starting the process of updating the Machines. When the update strategy is OnDelete, this value will remain at 0 until a user deletes an existing replica and its replacement has become ready.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "unavailableReplicas": { + SchemaProps: spec.SchemaProps{ + Description: "unavailableReplicas is the number of Control Plane Machines that are still required before the ControlPlaneMachineSet reaches the desired available capacity. When this value is non-zero, the number of ReadyReplicas is less than the desired Replicas.", Type: []string{"integer"}, Format: "int32", }, }, }, - Required: []string{"deviceType", "adapterType", "deviceIndex"}, }, }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } -func schema_openshift_api_machine_v1_NutanixVMStorageConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_ControlPlaneMachineSetStrategy(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "NutanixVMStorageConfig specifies the storage configuration parameters for VM disks.", + Description: "ControlPlaneMachineSetStrategy defines the strategy for applying updates to the Control Plane Machines managed by the ControlPlaneMachineSet.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "diskMode": { + "type": { SchemaProps: spec.SchemaProps{ - Description: "diskMode specifies the disk mode. The valid values are Standard and Flash, and the default is Standard.", - Default: "", + Description: "type defines the type of update strategy that should be used when updating Machines owned by the ControlPlaneMachineSet. Valid values are \"RollingUpdate\" and \"OnDelete\". The current default value is \"RollingUpdate\".", + Default: "RollingUpdate", Type: []string{"string"}, - Format: "", - }, - }, - "storageContainer": { - SchemaProps: spec.SchemaProps{ - Description: "storageContainer refers to the storage_container used by the VM disk.", - Ref: ref("github.com/openshift/api/machine/v1.NutanixStorageResourceIdentifier"), + Format: "", }, }, }, - Required: []string{"diskMode"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1.NutanixStorageResourceIdentifier"}, } } -func schema_openshift_api_machine_v1_OpenShiftMachineV1Beta1MachineTemplate(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_ControlPlaneMachineSetTemplate(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OpenShiftMachineV1Beta1MachineTemplate is a template for the ControlPlaneMachineSet to create Machines from the v1beta1.machine.openshift.io API group.", + Description: "ControlPlaneMachineSetTemplate is a template used by the ControlPlaneMachineSet to create the Machines that it will manage in the future.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "failureDomains": { + "machineType": { SchemaProps: spec.SchemaProps{ - Description: "failureDomains is the list of failure domains (sometimes called availability zones) in which the ControlPlaneMachineSet should balance the Control Plane Machines. This will be merged into the ProviderSpec given in the template. This field is optional on platforms that do not require placement information.", - Ref: ref("github.com/openshift/api/machine/v1.FailureDomains"), + Description: "machineType determines the type of Machines that should be managed by the ControlPlaneMachineSet. Currently, the only valid value is machines_v1beta1_machine_openshift_io.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "metadata": { + "machines_v1beta1_machine_openshift_io": { SchemaProps: spec.SchemaProps{ - Description: "ObjectMeta is the standard object metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata Labels are required to match the ControlPlaneMachineSet selector.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.ControlPlaneMachineSetTemplateObjectMeta"), + Description: "OpenShiftMachineV1Beta1Machine defines the template for creating Machines from the v1beta1.machine.openshift.io API group.", + Ref: ref("github.com/openshift/api/machine/v1.OpenShiftMachineV1Beta1MachineTemplate"), }, }, - "spec": { - SchemaProps: spec.SchemaProps{ - Description: "spec contains the desired configuration of the Control Plane Machines. The ProviderSpec within contains platform specific details for creating the Control Plane Machines. The ProviderSe should be complete apart from the platform specific failure domain field. This will be overriden when the Machines are created based on the FailureDomains field.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.MachineSpec"), + }, + Required: []string{"machineType"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "machineType", + "fields-to-discriminateBy": map[string]interface{}{ + "machines_v1beta1_machine_openshift_io": "OpenShiftMachineV1Beta1Machine", + }, }, }, }, - Required: []string{"metadata", "spec"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1.ControlPlaneMachineSetTemplateObjectMeta", "github.com/openshift/api/machine/v1.FailureDomains", "github.com/openshift/api/machine/v1beta1.MachineSpec"}, + "github.com/openshift/api/machine/v1.OpenShiftMachineV1Beta1MachineTemplate"}, } } -func schema_openshift_api_machine_v1_OpenStackFailureDomain(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_ControlPlaneMachineSetTemplateObjectMeta(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OpenStackFailureDomain configures failure domain information for the OpenStack platform.", + Description: "ControlPlaneMachineSetTemplateObjectMeta is a subset of the metav1.ObjectMeta struct. It allows users to specify labels and annotations that will be copied onto Machines created from this template.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "availabilityZone": { + "labels": { SchemaProps: spec.SchemaProps{ - Description: "availabilityZone is the nova availability zone in which the OpenStack machine provider will create the VM. If not specified, the VM will be created in the default availability zone specified in the nova configuration. Availability zone names must NOT contain : since it is used by admin users to specify hosts where instances are launched in server creation. Also, it must not contain spaces otherwise it will lead to node that belongs to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for further information. The maximum length of availability zone name is 63 as per labels limits.", - Type: []string{"string"}, - Format: "", + Description: "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels. This field must contain both the 'machine.openshift.io/cluster-api-machine-role' and 'machine.openshift.io/cluster-api-machine-type' labels, both with a value of 'master'. It must also contain a label with the key 'machine.openshift.io/cluster-api-cluster'.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "rootVolume": { + "annotations": { SchemaProps: spec.SchemaProps{ - Description: "rootVolume contains settings that will be used by the OpenStack machine provider to create the root volume attached to the VM. If not specified, no root volume will be created.", - Ref: ref("github.com/openshift/api/machine/v1.RootVolume"), + Description: "annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, }, + Required: []string{"labels"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1.RootVolume"}, } } -func schema_openshift_api_machine_v1_PowerVSMachineProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_DataDiskProperties(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "PowerVSMachineProviderConfig is the type that will be embedded in a Machine.Spec.ProviderSpec field for a PowerVS virtual machine. It is used by the PowerVS machine actuator to create a single Machine.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Description: "DataDisk contains the information regarding the datadisk attached to an instance", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "Name": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "Name is the name of data disk N. If the name is specified the name must be 2 to 128 characters in length. It must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-).\n\nEmpty value means the platform chooses a default, which is subject to change over time. Currently the default is `\"\"`.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "SnapshotID": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "SnapshotID is the ID of the snapshot used to create data disk N. Valid values of N: 1 to 16.\n\nWhen the DataDisk.N.SnapshotID parameter is specified, the DataDisk.N.Size parameter is ignored. The data disk is created based on the size of the specified snapshot. Use snapshots created after July 15, 2013. Otherwise, an error is returned and your request is rejected.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), - }, - }, - "userDataSecret": { - SchemaProps: spec.SchemaProps{ - Description: "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance.", - Ref: ref("github.com/openshift/api/machine/v1.PowerVSSecretReference"), - }, - }, - "credentialsSecret": { + "Size": { SchemaProps: spec.SchemaProps{ - Description: "credentialsSecret is a reference to the secret with IBM Cloud credentials.", - Ref: ref("github.com/openshift/api/machine/v1.PowerVSSecretReference"), + Description: "Size of the data disk N. Valid values of N: 1 to 16. Unit: GiB. Valid values:\n\nValid values when DataDisk.N.Category is set to cloud_efficiency: 20 to 32768 Valid values when DataDisk.N.Category is set to cloud_ssd: 20 to 32768 Valid values when DataDisk.N.Category is set to cloud_essd: 20 to 32768 Valid values when DataDisk.N.Category is set to cloud: 5 to 2000 The value of this parameter must be greater than or equal to the size of the snapshot specified by the SnapshotID parameter.", + Default: 0, + Type: []string{"integer"}, + Format: "int64", }, }, - "serviceInstance": { + "DiskEncryption": { SchemaProps: spec.SchemaProps{ - Description: "serviceInstance is the reference to the Power VS service on which the server instance(VM) will be created. Power VS service is a container for all Power VS instances at a specific geographic region. serviceInstance can be created via IBM Cloud catalog or CLI. supported serviceInstance identifier in PowerVSResource are Name and ID and that can be obtained from IBM Cloud UI or IBM Cloud cli. More detail about Power VS service instance. https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.PowerVSResource"), + Description: "DiskEncryption specifies whether to encrypt data disk N.\n\nEmpty value means the platform chooses a default, which is subject to change over time. Currently the default is `disabled`.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "image": { + "PerformanceLevel": { SchemaProps: spec.SchemaProps{ - Description: "image is to identify the rhcos image uploaded to IBM COS bucket which is used to create the instance. supported image identifier in PowerVSResource are Name and ID and that can be obtained from IBM Cloud UI or IBM Cloud cli.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.PowerVSResource"), + Description: "PerformanceLevel is the performance level of the ESSD used as as data disk N. The N value must be the same as that in DataDisk.N.Category when DataDisk.N.Category is set to cloud_essd. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is `PL1`. Valid values:\n\nPL0: A single ESSD can deliver up to 10,000 random read/write IOPS. PL1: A single ESSD can deliver up to 50,000 random read/write IOPS. PL2: A single ESSD can deliver up to 100,000 random read/write IOPS. PL3: A single ESSD can deliver up to 1,000,000 random read/write IOPS. For more information about ESSD performance levels, see ESSDs.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "network": { + "Category": { SchemaProps: spec.SchemaProps{ - Description: "network is the reference to the Network to use for this instance. supported network identifier in PowerVSResource are Name, ID and RegEx and that can be obtained from IBM Cloud UI or IBM Cloud cli.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.PowerVSResource"), + Description: "Category describes the type of data disk N. Valid values: cloud_efficiency: ultra disk cloud_ssd: standard SSD cloud_essd: ESSD cloud: basic disk Empty value means no opinion and the platform chooses the a default, which is subject to change over time. Currently for non-I/O optimized instances of retired instance types, the default is `cloud`. Currently for other instances, the default is `cloud_efficiency`.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "keyPairName": { + "KMSKeyID": { SchemaProps: spec.SchemaProps{ - Description: "keyPairName is the name of the KeyPair to use for SSH. The key pair will be exposed to the instance via the instance metadata service. On boot, the OS will copy the public keypair into the authorized keys for the core user.", + Description: "KMSKeyID is the ID of the Key Management Service (KMS) key to be used by data disk N. Empty value means no opinion and the platform chooses the a default, which is subject to change over time. Currently the default is `\"\"` which is interpreted as do not use KMSKey encryption.", Default: "", Type: []string{"string"}, Format: "", }, }, - "systemType": { + "DiskPreservation": { SchemaProps: spec.SchemaProps{ - Description: "systemType is the System type used to host the instance. systemType determines the number of cores and memory that is available. Few of the supported SystemTypes are s922,e880,e980. e880 systemType available only in Dallas Datacenters. e980 systemType available in Datacenters except Dallas and Washington. When omitted, this means that the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is s922 which is generally available.", + Description: "DiskPreservation specifies whether to release data disk N along with the instance. Empty value means no opinion and the platform chooses the a default, which is subject to change over time. Currently the default is `DeleteWithInstance`", + Default: "", Type: []string{"string"}, Format: "", }, }, - "processorType": { + }, + }, + }, + } +} + +func schema_openshift_api_machine_v1_FailureDomains(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "FailureDomain represents the different configurations required to spread Machines across failure domains on different platforms.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "platform": { SchemaProps: spec.SchemaProps{ - Description: "processorType is the VM instance processor type. It must be set to one of the following values: Dedicated, Capped or Shared. Dedicated: resources are allocated for a specific client, The hypervisor makes a 1:1 binding of a partition’s processor to a physical processor core. Shared: Shared among other clients. Capped: Shared, but resources do not expand beyond those that are requested, the amount of CPU time is Capped to the value specified for the entitlement. if the processorType is selected as Dedicated, then processors value cannot be fractional. When omitted, this means that the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is Shared.", + Description: "platform identifies the platform for which the FailureDomain represents. Currently supported values are AWS, Azure, GCP, OpenStack, VSphere and Nutanix.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "processors": { - SchemaProps: spec.SchemaProps{ - Description: "processors is the number of virtual processors in a virtual machine. when the processorType is selected as Dedicated the processors value cannot be fractional. maximum value for the Processors depends on the selected SystemType. when SystemType is set to e880 or e980 maximum Processors value is 143. when SystemType is set to s922 maximum Processors value is 15. minimum value for Processors depends on the selected ProcessorType. when ProcessorType is set as Shared or Capped, The minimum processors is 0.5. when ProcessorType is set as Dedicated, The minimum processors is 1. When omitted, this means that the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default is set based on the selected ProcessorType. when ProcessorType selected as Dedicated, the default is set to 1. when ProcessorType selected as Shared or Capped, the default is set to 0.5.", - Ref: ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"), + "aws": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, }, - }, - "memoryGiB": { SchemaProps: spec.SchemaProps{ - Description: "memoryGiB is the size of a virtual machine's memory, in GiB. maximum value for the MemoryGiB depends on the selected SystemType. when SystemType is set to e880 maximum MemoryGiB value is 7463 GiB. when SystemType is set to e980 maximum MemoryGiB value is 15307 GiB. when SystemType is set to s922 maximum MemoryGiB value is 942 GiB. The minimum memory is 32 GiB. When omitted, this means the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is 32.", - Type: []string{"integer"}, - Format: "int32", + Description: "aws configures failure domain information for the AWS platform.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.AWSFailureDomain"), + }, + }, + }, }, }, - "loadBalancers": { + "azure": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "loadBalancers is the set of load balancers to which the new control plane instance should be added once it is created.", + Description: "azure configures failure domain information for the Azure platform.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1.LoadBalancerReference"), + Ref: ref("github.com/openshift/api/machine/v1.AzureFailureDomain"), }, }, }, }, }, - }, - Required: []string{"serviceInstance", "image", "network", "keyPairName"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1.LoadBalancerReference", "github.com/openshift/api/machine/v1.PowerVSResource", "github.com/openshift/api/machine/v1.PowerVSSecretReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apimachinery/pkg/util/intstr.IntOrString"}, - } -} - -func schema_openshift_api_machine_v1_PowerVSMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PowerVSMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains PowerVS-specific status information.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", + "gcp": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, }, - }, - "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", + Description: "gcp configures failure domain information for the GCP platform.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.GCPFailureDomain"), + }, + }, + }, }, }, - "conditions": { + "vsphere": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ "x-kubernetes-list-map-keys": []interface{}{ - "type", + "name", }, "x-kubernetes-list-type": "map", }, }, SchemaProps: spec.SchemaProps{ - Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", + Description: "vsphere configures failure domain information for the VSphere platform.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + Ref: ref("github.com/openshift/api/machine/v1.VSphereFailureDomain"), }, }, }, }, }, - "instanceId": { + "openstack": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "instanceId is the instance ID of the machine created in PowerVS instanceId uniquely identifies a Power VS server instance(VM) under a Power VS service. This will help in updating or deleting a VM in Power VS Cloud", - Type: []string{"string"}, - Format: "", + Description: "openstack configures failure domain information for the OpenStack platform.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.OpenStackFailureDomain"), + }, + }, + }, }, }, - "serviceInstanceID": { + "nutanix": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "serviceInstanceID is the reference to the Power VS ServiceInstance on which the machine instance will be created. serviceInstanceID uniquely identifies the Power VS service By setting serviceInstanceID it will become easy and efficient to fetch a server instance(VM) within Power VS Cloud.", - Type: []string{"string"}, - Format: "", + Description: "nutanix configures failure domain information for the Nutanix platform.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.NutanixFailureDomainReference"), + }, + }, + }, }, }, - "instanceState": { + }, + Required: []string{"platform"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "platform", + "fields-to-discriminateBy": map[string]interface{}{ + "aws": "AWS", + "azure": "Azure", + "gcp": "GCP", + "nutanix": "Nutanix", + "openstack": "OpenStack", + "vsphere": "VSphere", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1.AWSFailureDomain", "github.com/openshift/api/machine/v1.AzureFailureDomain", "github.com/openshift/api/machine/v1.GCPFailureDomain", "github.com/openshift/api/machine/v1.NutanixFailureDomainReference", "github.com/openshift/api/machine/v1.OpenStackFailureDomain", "github.com/openshift/api/machine/v1.VSphereFailureDomain"}, + } +} + +func schema_openshift_api_machine_v1_GCPFailureDomain(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "GCPFailureDomain configures failure domain information for the GCP platform", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "zone": { SchemaProps: spec.SchemaProps{ - Description: "instanceState is the state of the PowerVS instance for this machine Possible instance states are Active, Build, ShutOff, Reboot This is used to display additional information to user regarding instance current state", + Description: "zone is the zone in which the GCP machine provider will create the VM.", + Default: "", Type: []string{"string"}, Format: "", }, }, }, + Required: []string{"zone"}, }, }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } -func schema_openshift_api_machine_v1_PowerVSResource(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_LoadBalancerReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "PowerVSResource is a reference to a specific PowerVS resource by ID, Name or RegEx Only one of ID, Name or RegEx may be specified. Specifying more than one will result in a validation error.", + Description: "LoadBalancerReference is a reference to a load balancer on IBM Cloud virtual private cloud(VPC).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "type": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "type identifies the resource type for this entry. Valid values are ID, Name and RegEx", + Description: "name of the LoadBalancer in IBM Cloud VPC. The name should be between 1 and 63 characters long and may consist of lowercase alphanumeric characters and hyphens only. The value must not end with a hyphen. It is a reference to existing LoadBalancer created by openshift installer component.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "id": { + "type": { SchemaProps: spec.SchemaProps{ - Description: "id of resource", + Description: "type of the LoadBalancer service supported by IBM Cloud VPC. Currently, only Application LoadBalancer is supported. More details about Application LoadBalancer https://cloud.ibm.com/docs/vpc?topic=vpc-load-balancers-about&interface=ui Supported values are Application.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "name": { + }, + Required: []string{"name", "type"}, + }, + }, + } +} + +func schema_openshift_api_machine_v1_NutanixCategory(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NutanixCategory identifies a pair of prism category key and value", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "key": { SchemaProps: spec.SchemaProps{ - Description: "name of resource", + Description: "key is the prism category key name", + Default: "", Type: []string{"string"}, Format: "", }, }, - "regex": { + "value": { SchemaProps: spec.SchemaProps{ - Description: "regex to find resource Regex contains the pattern to match to find a resource", + Description: "value is the prism category value associated with the key", + Default: "", Type: []string{"string"}, Format: "", }, }, }, + Required: []string{"key", "value"}, }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "fields-to-discriminateBy": map[string]interface{}{ - "id": "ID", - "name": "Name", - "regex": "RegEx", - "type": "Type", - }, + }, + } +} + +func schema_openshift_api_machine_v1_NutanixFailureDomainReference(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NutanixFailureDomainReference refers to the failure domain of the Nutanix platform.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name of the failure domain in which the nutanix machine provider will create the VM. Failure domains are defined in a cluster's config.openshift.io/Infrastructure resource.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, + Required: []string{"name"}, }, }, } } -func schema_openshift_api_machine_v1_PowerVSSecretReference(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_NutanixGPU(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "PowerVSSecretReference contains enough information to locate the referenced secret inside the same namespace.", + Description: "NutanixGPU holds the identity of a Nutanix GPU resource in the Prism Central", Type: []string{"object"}, Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type is the identifier type of the GPU device. Valid values are Name and DeviceID.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "deviceID": { + SchemaProps: spec.SchemaProps{ + Description: "deviceID is the GPU device ID with the integer value.", + Type: []string{"integer"}, + Format: "int32", + }, + }, "name": { SchemaProps: spec.SchemaProps{ - Description: "name of the secret.", + Description: "name is the GPU device name", Type: []string{"string"}, Format: "", }, }, }, + Required: []string{"type"}, }, VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ - "x-kubernetes-map-type": "atomic", + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "type", + "fields-to-discriminateBy": map[string]interface{}{ + "deviceID": "DeviceID", + "name": "Name", + }, + }, + }, }, }, }, } } -func schema_openshift_api_machine_v1_RootVolume(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_NutanixMachineProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "RootVolume represents the volume metadata to boot from. The original RootVolume struct is defined in the v1alpha1 but it's not best practice to use it directly here so we define a new one that should stay in sync with the original one.", + Description: "NutanixMachineProviderConfig is the Schema for the nutanixmachineproviderconfigs API Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "availabilityZone": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "availabilityZone specifies the Cinder availability zone where the root volume will be created. If not specifified, the root volume will be created in the availability zone specified by the volume type in the cinder configuration. If the volume type (configured in the OpenStack cluster) does not specify an availability zone, the root volume will be created in the default availability zone specified in the cinder configuration. See https://docs.openstack.org/cinder/latest/admin/availability-zone-type.html for more details. If the OpenStack cluster is deployed with the cross_az_attach configuration option set to false, the root volume will have to be in the same availability zone as the VM (defined by OpenStackFailureDomain.AvailabilityZone). Availability zone names must NOT contain spaces otherwise it will lead to volume that belongs to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for further information. The maximum length of availability zone name is 63 as per labels limits.", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - "volumeType": { + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "cluster": { + SchemaProps: spec.SchemaProps{ + Description: "cluster is to identify the cluster (the Prism Element under management of the Prism Central), in which the Machine's VM will be created. The cluster identifier (uuid or name) can be obtained from the Prism Central console or using the prism_central API.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.NutanixResourceIdentifier"), + }, + }, + "image": { + SchemaProps: spec.SchemaProps{ + Description: "image is to identify the rhcos image uploaded to the Prism Central (PC) The image identifier (uuid or name) can be obtained from the Prism Central console or using the prism_central API.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.NutanixResourceIdentifier"), + }, + }, + "subnets": { + SchemaProps: spec.SchemaProps{ + Description: "subnets holds a list of identifiers (one or more) of the cluster's network subnets for the Machine's VM to connect to. The subnet identifiers (uuid or name) can be obtained from the Prism Central console or using the prism_central API.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.NutanixResourceIdentifier"), + }, + }, + }, + }, + }, + "vcpusPerSocket": { + SchemaProps: spec.SchemaProps{ + Description: "vcpusPerSocket is the number of vCPUs per socket of the VM", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "vcpuSockets": { + SchemaProps: spec.SchemaProps{ + Description: "vcpuSockets is the number of vCPU sockets of the VM", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "memorySize": { + SchemaProps: spec.SchemaProps{ + Description: "memorySize is the memory size (in Quantity format) of the VM The minimum memorySize is 2Gi bytes", + Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), + }, + }, + "systemDiskSize": { + SchemaProps: spec.SchemaProps{ + Description: "systemDiskSize is size (in Quantity format) of the system disk of the VM The minimum systemDiskSize is 20Gi bytes", + Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), + }, + }, + "bootType": { SchemaProps: spec.SchemaProps{ - Description: "volumeType specifies the type of the root volume that will be provisioned. The maximum length of a volume type name is 255 characters, as per the OpenStack limit.", + Description: "bootType indicates the boot type (Legacy, UEFI or SecureBoot) the Machine's VM uses to boot. If this field is empty or omitted, the VM will use the default boot type \"Legacy\" to boot. \"SecureBoot\" depends on \"UEFI\" boot, i.e., enabling \"SecureBoot\" means that \"UEFI\" boot is also enabled.", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"volumeType"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1_SystemDiskProperties(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "SystemDiskProperties contains the information regarding the system disk including performance, size, name, and category", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "category": { + "project": { SchemaProps: spec.SchemaProps{ - Description: "category is the category of the system disk. Valid values: cloud_essd: ESSD. When the parameter is set to this value, you can use the SystemDisk.PerformanceLevel parameter to specify the performance level of the disk. cloud_efficiency: ultra disk. cloud_ssd: standard SSD. cloud: basic disk. Empty value means no opinion and the platform chooses the a default, which is subject to change over time. Currently for non-I/O optimized instances of retired instance types, the default is `cloud`. Currently for other instances, the default is `cloud_efficiency`.", - Type: []string{"string"}, - Format: "", + Description: "project optionally identifies a Prism project for the Machine's VM to associate with.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.NutanixResourceIdentifier"), }, }, - "performanceLevel": { + "categories": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "key", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "performanceLevel is the performance level of the ESSD used as the system disk. Valid values:\n\nPL0: A single ESSD can deliver up to 10,000 random read/write IOPS. PL1: A single ESSD can deliver up to 50,000 random read/write IOPS. PL2: A single ESSD can deliver up to 100,000 random read/write IOPS. PL3: A single ESSD can deliver up to 1,000,000 random read/write IOPS. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is `PL1`. For more information about ESSD performance levels, see ESSDs.", - Type: []string{"string"}, - Format: "", + Description: "categories optionally adds one or more prism categories (each with key and value) for the Machine's VM to associate with. All the category key and value pairs specified must already exist in the prism central.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.NutanixCategory"), + }, + }, + }, }, }, - "name": { + "gpus": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "name is the name of the system disk. If the name is specified the name must be 2 to 128 characters in length. It must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-). Empty value means the platform chooses a default, which is subject to change over time. Currently the default is `\"\"`.", - Type: []string{"string"}, - Format: "", + Description: "gpus is a list of GPU devices to attach to the machine's VM. The GPU devices should already exist in Prism Central and associated with one of the Prism Element's hosts and available for the VM to attach (in \"UNUSED\" status).", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.NutanixGPU"), + }, + }, + }, }, }, - "size": { + "dataDisks": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "size is the size of the system disk. Unit: GiB. Valid values: 20 to 500. The value must be at least 20 and greater than or equal to the size of the image. Empty value means the platform chooses a default, which is subject to change over time. Currently the default is `40` or the size of the image depending on whichever is greater.", - Type: []string{"integer"}, - Format: "int64", + Description: "dataDisks holds information of the data disks to attach to the Machine's VM", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.NutanixVMDisk"), + }, + }, + }, + }, + }, + "userDataSecret": { + SchemaProps: spec.SchemaProps{ + Description: "userDataSecret is a local reference to a secret that contains the UserData to apply to the VM", + Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + }, + }, + "credentialsSecret": { + SchemaProps: spec.SchemaProps{ + Description: "credentialsSecret is a local reference to a secret that contains the credentials data to access Nutanix PC client", + Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + }, + }, + "failureDomain": { + SchemaProps: spec.SchemaProps{ + Description: "failureDomain refers to the name of the FailureDomain with which this Machine is associated. If this is configured, the Nutanix machine controller will use the prism_central endpoint and credentials defined in the referenced FailureDomain to communicate to the prism_central. It will also verify that the 'cluster' and subnets' configuration in the NutanixMachineProviderConfig is consistent with that in the referenced failureDomain.", + Ref: ref("github.com/openshift/api/machine/v1.NutanixFailureDomainReference"), }, }, }, + Required: []string{"cluster", "image", "subnets", "vcpusPerSocket", "vcpuSockets", "memorySize", "systemDiskSize", "credentialsSecret"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1.NutanixCategory", "github.com/openshift/api/machine/v1.NutanixFailureDomainReference", "github.com/openshift/api/machine/v1.NutanixGPU", "github.com/openshift/api/machine/v1.NutanixResourceIdentifier", "github.com/openshift/api/machine/v1.NutanixVMDisk", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1_Tag(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_NutanixMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Tag The tags of ECS Instance", + Description: "NutanixMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains nutanix-specific status information. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "Key": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "Key is the name of the key pair", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "Value": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "Value is the value or data of the key pair", - Default: "", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"Key", "Value"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1_VSphereFailureDomain(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "VSphereFailureDomain configures failure domain information for the vSphere platform", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "name": { + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "name of the failure domain in which the vSphere machine provider will create the VM. Failure domains are defined in a cluster's config.openshift.io/Infrastructure resource. When balancing machines across failure domains, the control plane machine set will inject configuration from the Infrastructure resource into the machine providerSpec to allocate the machine to a failure domain.", - Default: "", + Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, + }, + }, + "vmUUID": { + SchemaProps: spec.SchemaProps{ + Description: "vmUUID is the Machine associated VM's UUID The field is missing before the VM is created. Once the VM is created, the field is filled with the VM's UUID and it will not change. The vmUUID is used to find the VM when updating the Machine status, and to delete the VM when the Machine is deleted.", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"name"}, }, }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } -func schema_openshift_api_machine_v1alpha1_AdditionalBlockDevice(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_NutanixResourceIdentifier(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "additionalBlockDevice is a block device to attach to the server.", + Description: "NutanixResourceIdentifier holds the identity of a Nutanix PC resource (cluster, image, subnet, etc.)", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "type": { SchemaProps: spec.SchemaProps{ - Description: "name of the block device in the context of a machine. If the block device is a volume, the Cinder volume will be named as a combination of the machine name and this name. Also, this name will be used for tagging the block device. Information about the block device tag can be obtained from the OpenStack metadata API or the config drive.", + Description: "type is the identifier type to use for this resource.", Default: "", Type: []string{"string"}, Format: "", }, }, - "sizeGiB": { + "uuid": { SchemaProps: spec.SchemaProps{ - Description: "sizeGiB is the size of the block device in gibibytes (GiB).", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "uuid is the UUID of the resource in the PC.", + Type: []string{"string"}, + Format: "", }, }, - "storage": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "storage specifies the storage type of the block device and additional storage options.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1alpha1.BlockDeviceStorage"), + Description: "name is the resource name in the PC", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"name", "sizeGiB", "storage"}, + Required: []string{"type"}, }, - }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1alpha1.BlockDeviceStorage"}, - } -} - -func schema_openshift_api_machine_v1alpha1_AddressPair(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "ipAddress": { - SchemaProps: spec.SchemaProps{ - Type: []string{"string"}, - Format: "", - }, - }, - "macAddress": { - SchemaProps: spec.SchemaProps{ - Type: []string{"string"}, - Format: "", + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "type", + "fields-to-discriminateBy": map[string]interface{}{ + "name": "Name", + "uuid": "UUID", + }, }, }, }, @@ -35437,25 +36507,26 @@ func schema_openshift_api_machine_v1alpha1_AddressPair(ref common.ReferenceCallb } } -func schema_openshift_api_machine_v1alpha1_BlockDeviceStorage(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_NutanixStorageResourceIdentifier(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "blockDeviceStorage is the storage type of a block device to create and contains additional storage options.", + Description: "NutanixStorageResourceIdentifier holds the identity of a Nutanix storage resource (storage_container, etc.)", Type: []string{"object"}, Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type is the type of block device to create. This can be either \"Volume\" or \"Local\".", + Description: "type is the identifier type to use for this resource. The valid value is \"uuid\".", Default: "", Type: []string{"string"}, Format: "", }, }, - "volume": { + "uuid": { SchemaProps: spec.SchemaProps{ - Description: "volume contains additional storage options for a volume block device.", - Ref: ref("github.com/openshift/api/machine/v1alpha1.BlockDeviceVolume"), + Description: "uuid is the UUID of the storage resource in the PC.", + Type: []string{"string"}, + Format: "", }, }, }, @@ -35467,303 +36538,192 @@ func schema_openshift_api_machine_v1alpha1_BlockDeviceStorage(ref common.Referen map[string]interface{}{ "discriminator": "type", "fields-to-discriminateBy": map[string]interface{}{ - "volume": "Volume", + "uuid": "UUID", }, }, }, }, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1alpha1.BlockDeviceVolume"}, } } -func schema_openshift_api_machine_v1alpha1_BlockDeviceVolume(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_NutanixVMDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "blockDeviceVolume contains additional storage options for a volume block device.", + Description: "NutanixDataDisk specifies the VM data disk configuration parameters.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "type": { + "diskSize": { SchemaProps: spec.SchemaProps{ - Description: "type is the Cinder volume type of the volume. If omitted, the default Cinder volume type that is configured in the OpenStack cloud will be used.", - Type: []string{"string"}, - Format: "", + Description: "diskSize is size (in Quantity format) of the disk attached to the VM. See https://pkg.go.dev/k8s.io/apimachinery/pkg/api/resource#Format for the Quantity format and example documentation. The minimum diskSize is 1GB.", + Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), }, }, - "availabilityZone": { + "deviceProperties": { SchemaProps: spec.SchemaProps{ - Description: "availabilityZone is the volume availability zone to create the volume in. If omitted, the availability zone of the server will be used. The availability zone must NOT contain spaces otherwise it will lead to volume that belongs to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for further information.", - Type: []string{"string"}, - Format: "", + Description: "deviceProperties are the properties of the disk device.", + Ref: ref("github.com/openshift/api/machine/v1.NutanixVMDiskDeviceProperties"), + }, + }, + "storageConfig": { + SchemaProps: spec.SchemaProps{ + Description: "storageConfig are the storage configuration parameters of the VM disks.", + Ref: ref("github.com/openshift/api/machine/v1.NutanixVMStorageConfig"), + }, + }, + "dataSource": { + SchemaProps: spec.SchemaProps{ + Description: "dataSource refers to a data source image for the VM disk.", + Ref: ref("github.com/openshift/api/machine/v1.NutanixResourceIdentifier"), }, }, }, + Required: []string{"diskSize"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1.NutanixResourceIdentifier", "github.com/openshift/api/machine/v1.NutanixVMDiskDeviceProperties", "github.com/openshift/api/machine/v1.NutanixVMStorageConfig", "k8s.io/apimachinery/pkg/api/resource.Quantity"}, } } -func schema_openshift_api_machine_v1alpha1_Filter(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_NutanixVMDiskDeviceProperties(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "NutanixVMDiskDeviceProperties specifies the disk device properties.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "id": { - SchemaProps: spec.SchemaProps{ - Description: "Deprecated: use NetworkParam.uuid instead. Ignored if NetworkParam.uuid is set.", - Type: []string{"string"}, - Format: "", - }, - }, - "name": { - SchemaProps: spec.SchemaProps{ - Description: "name filters networks by name.", - Type: []string{"string"}, - Format: "", - }, - }, - "description": { - SchemaProps: spec.SchemaProps{ - Description: "description filters networks by description.", - Type: []string{"string"}, - Format: "", - }, - }, - "tenantId": { - SchemaProps: spec.SchemaProps{ - Description: "tenantId filters networks by tenant ID. Deprecated: use projectId instead. tenantId will be ignored if projectId is set.", - Type: []string{"string"}, - Format: "", - }, - }, - "projectId": { - SchemaProps: spec.SchemaProps{ - Description: "projectId filters networks by project ID.", - Type: []string{"string"}, - Format: "", - }, - }, - "tags": { - SchemaProps: spec.SchemaProps{ - Description: "tags filters by networks containing all specified tags. Multiple tags are comma separated.", - Type: []string{"string"}, - Format: "", - }, - }, - "tagsAny": { - SchemaProps: spec.SchemaProps{ - Description: "tagsAny filters by networks containing any specified tags. Multiple tags are comma separated.", - Type: []string{"string"}, - Format: "", - }, - }, - "notTags": { - SchemaProps: spec.SchemaProps{ - Description: "notTags filters by networks which don't match all specified tags. NOT (t1 AND t2...) Multiple tags are comma separated.", - Type: []string{"string"}, - Format: "", - }, - }, - "notTagsAny": { - SchemaProps: spec.SchemaProps{ - Description: "notTagsAny filters by networks which don't match any specified tags. NOT (t1 OR t2...) Multiple tags are comma separated.", - Type: []string{"string"}, - Format: "", - }, - }, - "status": { + "deviceType": { SchemaProps: spec.SchemaProps{ - Description: "Deprecated: status is silently ignored. It has no replacement.", + Description: "deviceType specifies the disk device type. The valid values are \"Disk\" and \"CDRom\", and the default is \"Disk\".", + Default: "", Type: []string{"string"}, Format: "", }, }, - "adminStateUp": { - SchemaProps: spec.SchemaProps{ - Description: "Deprecated: adminStateUp is silently ignored. It has no replacement.", - Type: []string{"boolean"}, - Format: "", - }, - }, - "shared": { - SchemaProps: spec.SchemaProps{ - Description: "Deprecated: shared is silently ignored. It has no replacement.", - Type: []string{"boolean"}, - Format: "", - }, - }, - "marker": { + "adapterType": { SchemaProps: spec.SchemaProps{ - Description: "Deprecated: marker is silently ignored. It has no replacement.", + Description: "adapterType is the adapter type of the disk address. If the deviceType is \"Disk\", the valid adapterType can be \"SCSI\", \"IDE\", \"PCI\", \"SATA\" or \"SPAPR\". If the deviceType is \"CDRom\", the valid adapterType can be \"IDE\" or \"SATA\".", + Default: "", Type: []string{"string"}, Format: "", }, }, - "limit": { + "deviceIndex": { SchemaProps: spec.SchemaProps{ - Description: "Deprecated: limit is silently ignored. It has no replacement.", + Description: "deviceIndex is the index of the disk address. The valid values are non-negative integers, with the default value 0. For a Machine VM, the deviceIndex for the disks with the same deviceType.adapterType combination should start from 0 and increase consecutively afterwards. Note that for each Machine VM, the Disk.SCSI.0 and CDRom.IDE.0 are reserved to be used by the VM's system. So for dataDisks of Disk.SCSI and CDRom.IDE, the deviceIndex should start from 1.", Type: []string{"integer"}, Format: "int32", }, }, - "sortKey": { - SchemaProps: spec.SchemaProps{ - Description: "Deprecated: sortKey is silently ignored. It has no replacement.", - Type: []string{"string"}, - Format: "", - }, - }, - "sortDir": { - SchemaProps: spec.SchemaProps{ - Description: "Deprecated: sortDir is silently ignored. It has no replacement.", - Type: []string{"string"}, - Format: "", - }, - }, }, + Required: []string{"deviceType", "adapterType", "deviceIndex"}, }, }, } } -func schema_openshift_api_machine_v1alpha1_FixedIPs(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_NutanixVMStorageConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "NutanixVMStorageConfig specifies the storage configuration parameters for VM disks.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "subnetID": { + "diskMode": { SchemaProps: spec.SchemaProps{ - Description: "subnetID specifies the ID of the subnet where the fixed IP will be allocated.", + Description: "diskMode specifies the disk mode. The valid values are Standard and Flash, and the default is Standard.", Default: "", Type: []string{"string"}, Format: "", }, }, - "ipAddress": { + "storageContainer": { SchemaProps: spec.SchemaProps{ - Description: "ipAddress is a specific IP address to use in the given subnet. Port creation will fail if the address is not available. If not specified, an available IP from the given subnet will be selected automatically.", - Type: []string{"string"}, - Format: "", + Description: "storageContainer refers to the storage_container used by the VM disk.", + Ref: ref("github.com/openshift/api/machine/v1.NutanixStorageResourceIdentifier"), }, }, }, - Required: []string{"subnetID"}, + Required: []string{"diskMode"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1.NutanixStorageResourceIdentifier"}, } } -func schema_openshift_api_machine_v1alpha1_NetworkParam(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_OpenShiftMachineV1Beta1MachineTemplate(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "OpenShiftMachineV1Beta1MachineTemplate is a template for the ControlPlaneMachineSet to create Machines from the v1beta1.machine.openshift.io API group.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "uuid": { - SchemaProps: spec.SchemaProps{ - Description: "The UUID of the network. Required if you omit the port attribute.", - Type: []string{"string"}, - Format: "", - }, - }, - "fixedIp": { + "failureDomains": { SchemaProps: spec.SchemaProps{ - Description: "A fixed IPv4 address for the NIC. Deprecated: fixedIP is silently ignored. Use subnets instead.", - Type: []string{"string"}, - Format: "", + Description: "failureDomains is the list of failure domains (sometimes called availability zones) in which the ControlPlaneMachineSet should balance the Control Plane Machines. This will be merged into the ProviderSpec given in the template. This field is optional on platforms that do not require placement information.", + Ref: ref("github.com/openshift/api/machine/v1.FailureDomains"), }, }, - "filter": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "Filters for optional network query", + Description: "ObjectMeta is the standard object metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata Labels are required to match the ControlPlaneMachineSet selector.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1alpha1.Filter"), - }, - }, - "subnets": { - SchemaProps: spec.SchemaProps{ - Description: "Subnet within a network to use", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1alpha1.SubnetParam"), - }, - }, - }, - }, - }, - "noAllowedAddressPairs": { - SchemaProps: spec.SchemaProps{ - Description: "noAllowedAddressPairs disables creation of allowed address pairs for the network ports", - Type: []string{"boolean"}, - Format: "", + Ref: ref("github.com/openshift/api/machine/v1.ControlPlaneMachineSetTemplateObjectMeta"), }, }, - "portTags": { + "spec": { SchemaProps: spec.SchemaProps{ - Description: "portTags allows users to specify a list of tags to add to ports created in a given network", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "spec contains the desired configuration of the Control Plane Machines. The ProviderSpec within contains platform specific details for creating the Control Plane Machines. The ProviderSe should be complete apart from the platform specific failure domain field. This will be overridden when the Machines are created based on the FailureDomains field.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.MachineSpec"), }, }, - "vnicType": { + }, + Required: []string{"metadata", "spec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1.ControlPlaneMachineSetTemplateObjectMeta", "github.com/openshift/api/machine/v1.FailureDomains", "github.com/openshift/api/machine/v1beta1.MachineSpec"}, + } +} + +func schema_openshift_api_machine_v1_OpenStackFailureDomain(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "OpenStackFailureDomain configures failure domain information for the OpenStack platform.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "availabilityZone": { SchemaProps: spec.SchemaProps{ - Description: "The virtual network interface card (vNIC) type that is bound to the neutron port.", + Description: "availabilityZone is the nova availability zone in which the OpenStack machine provider will create the VM. If not specified, the VM will be created in the default availability zone specified in the nova configuration. Availability zone names must NOT contain : since it is used by admin users to specify hosts where instances are launched in server creation. Also, it must not contain spaces otherwise it will lead to node that belongs to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for further information. The maximum length of availability zone name is 63 as per labels limits.", Type: []string{"string"}, Format: "", }, }, - "profile": { - SchemaProps: spec.SchemaProps{ - Description: "A dictionary that enables the application running on the specified host to pass and receive virtual network interface (VIF) port-specific information to the plug-in.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "portSecurity": { + "rootVolume": { SchemaProps: spec.SchemaProps{ - Description: "portSecurity optionally enables or disables security on ports managed by OpenStack", - Type: []string{"boolean"}, - Format: "", + Description: "rootVolume contains settings that will be used by the OpenStack machine provider to create the root volume attached to the VM. If not specified, no root volume will be created.", + Ref: ref("github.com/openshift/api/machine/v1.RootVolume"), }, }, }, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1alpha1.Filter", "github.com/openshift/api/machine/v1alpha1.SubnetParam"}, + "github.com/openshift/api/machine/v1.RootVolume"}, } } -func schema_openshift_api_machine_v1alpha1_OpenstackProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_PowerVSMachineProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OpenstackProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field for an OpenStack Instance. It is used by the Openstack machine actuator to create a single machine instance. Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "PowerVSMachineProviderConfig is the type that will be embedded in a Machine.Spec.ProviderSpec field for a PowerVS virtual machine. It is used by the PowerVS machine actuator to create a single Machine.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -35782,431 +36742,497 @@ func schema_openshift_api_machine_v1alpha1_OpenstackProviderSpec(ref common.Refe }, "metadata": { SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, - "cloudsSecret": { + "userDataSecret": { SchemaProps: spec.SchemaProps{ - Description: "The name of the secret containing the openstack credentials", - Ref: ref("k8s.io/api/core/v1.SecretReference"), + Description: "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance.", + Ref: ref("github.com/openshift/api/machine/v1.PowerVSSecretReference"), }, }, - "cloudName": { + "credentialsSecret": { SchemaProps: spec.SchemaProps{ - Description: "The name of the cloud to use from the clouds secret", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "credentialsSecret is a reference to the secret with IBM Cloud credentials.", + Ref: ref("github.com/openshift/api/machine/v1.PowerVSSecretReference"), }, }, - "flavor": { + "serviceInstance": { SchemaProps: spec.SchemaProps{ - Description: "The flavor reference for the flavor for your server instance.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "serviceInstance is the reference to the Power VS service on which the server instance(VM) will be created. Power VS service is a container for all Power VS instances at a specific geographic region. serviceInstance can be created via IBM Cloud catalog or CLI. supported serviceInstance identifier in PowerVSResource are Name and ID and that can be obtained from IBM Cloud UI or IBM Cloud cli. More detail about Power VS service instance. https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.PowerVSResource"), }, }, "image": { SchemaProps: spec.SchemaProps{ - Description: "The name of the image to use for your server instance. If the RootVolume is specified, this will be ignored and use rootVolume directly.", + Description: "image is to identify the rhcos image uploaded to IBM COS bucket which is used to create the instance. supported image identifier in PowerVSResource are Name and ID and that can be obtained from IBM Cloud UI or IBM Cloud cli.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.PowerVSResource"), + }, + }, + "network": { + SchemaProps: spec.SchemaProps{ + Description: "network is the reference to the Network to use for this instance. supported network identifier in PowerVSResource are Name, ID and RegEx and that can be obtained from IBM Cloud UI or IBM Cloud cli.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1.PowerVSResource"), + }, + }, + "keyPairName": { + SchemaProps: spec.SchemaProps{ + Description: "keyPairName is the name of the KeyPair to use for SSH. The key pair will be exposed to the instance via the instance metadata service. On boot, the OS will copy the public keypair into the authorized keys for the core user.", Default: "", Type: []string{"string"}, Format: "", }, }, - "keyName": { + "systemType": { SchemaProps: spec.SchemaProps{ - Description: "The ssh key to inject in the instance", + Description: "systemType is the System type used to host the instance. systemType determines the number of cores and memory that is available. Few of the supported SystemTypes are s922,e880,e980. e880 systemType available only in Dallas Datacenters. e980 systemType available in Datacenters except Dallas and Washington. When omitted, this means that the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is s922 which is generally available.", Type: []string{"string"}, Format: "", }, }, - "sshUserName": { + "processorType": { SchemaProps: spec.SchemaProps{ - Description: "The machine ssh username Deprecated: sshUserName is silently ignored.", + Description: "processorType is the VM instance processor type. It must be set to one of the following values: Dedicated, Capped or Shared. Dedicated: resources are allocated for a specific client, The hypervisor makes a 1:1 binding of a partition’s processor to a physical processor core. Shared: Shared among other clients. Capped: Shared, but resources do not expand beyond those that are requested, the amount of CPU time is Capped to the value specified for the entitlement. if the processorType is selected as Dedicated, then processors value cannot be fractional. When omitted, this means that the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is Shared.", Type: []string{"string"}, Format: "", }, }, - "networks": { + "processors": { SchemaProps: spec.SchemaProps{ - Description: "A networks object. Required parameter when there are multiple networks defined for the tenant. When you do not specify the networks parameter, the server attaches to the only network created for the current tenant.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1alpha1.NetworkParam"), - }, - }, - }, + Description: "processors is the number of virtual processors in a virtual machine. when the processorType is selected as Dedicated the processors value cannot be fractional. maximum value for the Processors depends on the selected SystemType. when SystemType is set to e880 or e980 maximum Processors value is 143. when SystemType is set to s922 maximum Processors value is 15. minimum value for Processors depends on the selected ProcessorType. when ProcessorType is set as Shared or Capped, The minimum processors is 0.5. when ProcessorType is set as Dedicated, The minimum processors is 1. When omitted, this means that the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default is set based on the selected ProcessorType. when ProcessorType selected as Dedicated, the default is set to 1. when ProcessorType selected as Shared or Capped, the default is set to 0.5.", + Ref: ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"), }, }, - "ports": { + "memoryGiB": { SchemaProps: spec.SchemaProps{ - Description: "Create and assign additional ports to instances", + Description: "memoryGiB is the size of a virtual machine's memory, in GiB. maximum value for the MemoryGiB depends on the selected SystemType. when SystemType is set to e880 maximum MemoryGiB value is 7463 GiB. when SystemType is set to e980 maximum MemoryGiB value is 15307 GiB. when SystemType is set to s922 maximum MemoryGiB value is 942 GiB. The minimum memory is 32 GiB. When omitted, this means the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is 32.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "loadBalancers": { + SchemaProps: spec.SchemaProps{ + Description: "loadBalancers is the set of load balancers to which the new control plane instance should be added once it is created.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1alpha1.PortOpts"), + Ref: ref("github.com/openshift/api/machine/v1.LoadBalancerReference"), }, }, }, }, }, - "floatingIP": { + }, + Required: []string{"serviceInstance", "image", "network", "keyPairName"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1.LoadBalancerReference", "github.com/openshift/api/machine/v1.PowerVSResource", "github.com/openshift/api/machine/v1.PowerVSSecretReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apimachinery/pkg/util/intstr.IntOrString"}, + } +} + +func schema_openshift_api_machine_v1_PowerVSMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PowerVSMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains PowerVS-specific status information.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { SchemaProps: spec.SchemaProps{ - Description: "floatingIP specifies a floating IP to be associated with the machine. Note that it is not safe to use this parameter in a MachineSet, as only one Machine may be assigned the same floating IP.\n\nDeprecated: floatingIP will be removed in a future release as it cannot be implemented correctly.", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "availabilityZone": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "The availability zone from which to launch the server.", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - "securityGroups": { + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "The names of the security groups to assign to the instance", + Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1alpha1.SecurityGroupParam"), + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), }, }, }, }, }, - "userDataSecret": { + "instanceId": { SchemaProps: spec.SchemaProps{ - Description: "The name of the secret containing the user data (startup script in most cases)", - Ref: ref("k8s.io/api/core/v1.SecretReference"), + Description: "instanceId is the instance ID of the machine created in PowerVS instanceId uniquely identifies a Power VS server instance(VM) under a Power VS service. This will help in updating or deleting a VM in Power VS Cloud", + Type: []string{"string"}, + Format: "", }, }, - "trunk": { + "serviceInstanceID": { SchemaProps: spec.SchemaProps{ - Description: "Whether the server instance is created on a trunk port or not.", - Type: []string{"boolean"}, + Description: "serviceInstanceID is the reference to the Power VS ServiceInstance on which the machine instance will be created. serviceInstanceID uniquely identifies the Power VS service By setting serviceInstanceID it will become easy and efficient to fetch a server instance(VM) within Power VS Cloud.", + Type: []string{"string"}, Format: "", }, }, - "tags": { + "instanceState": { SchemaProps: spec.SchemaProps{ - Description: "Machine tags Requires Nova api 2.52 minimum!", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "instanceState is the state of the PowerVS instance for this machine Possible instance states are Active, Build, ShutOff, Reboot This is used to display additional information to user regarding instance current state", + Type: []string{"string"}, + Format: "", }, }, - "serverMetadata": { + }, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + } +} + +func schema_openshift_api_machine_v1_PowerVSResource(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PowerVSResource is a reference to a specific PowerVS resource by ID, Name or RegEx Only one of ID, Name or RegEx may be specified. Specifying more than one will result in a validation error.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { SchemaProps: spec.SchemaProps{ - Description: "Metadata mapping. Allows you to create a map of key value pairs to add to the server instance.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "type identifies the resource type for this entry. Valid values are ID, Name and RegEx", + Type: []string{"string"}, + Format: "", }, }, - "configDrive": { + "id": { SchemaProps: spec.SchemaProps{ - Description: "Config Drive support", - Type: []string{"boolean"}, + Description: "id of resource", + Type: []string{"string"}, Format: "", }, }, - "rootVolume": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "The volume metadata to boot from", - Ref: ref("github.com/openshift/api/machine/v1alpha1.RootVolume"), + Description: "name of resource", + Type: []string{"string"}, + Format: "", }, }, - "additionalBlockDevices": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - }, - "x-kubernetes-list-type": "map", - }, - }, + "regex": { SchemaProps: spec.SchemaProps{ - Description: "additionalBlockDevices is a list of specifications for additional block devices to attach to the server instance", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1alpha1.AdditionalBlockDevice"), - }, - }, + Description: "regex to find resource Regex contains the pattern to match to find a resource", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "fields-to-discriminateBy": map[string]interface{}{ + "id": "ID", + "name": "Name", + "regex": "RegEx", + "type": "Type", }, }, }, - "serverGroupID": { + }, + }, + }, + } +} + +func schema_openshift_api_machine_v1_PowerVSSecretReference(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PowerVSSecretReference contains enough information to locate the referenced secret inside the same namespace.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { SchemaProps: spec.SchemaProps{ - Description: "The server group to assign the machine to.", + Description: "name of the secret.", Type: []string{"string"}, Format: "", }, }, - "serverGroupName": { + }, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-map-type": "atomic", + }, + }, + }, + } +} + +func schema_openshift_api_machine_v1_RootVolume(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "RootVolume represents the volume metadata to boot from. The original RootVolume struct is defined in the v1alpha1 but it's not best practice to use it directly here so we define a new one that should stay in sync with the original one.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "availabilityZone": { SchemaProps: spec.SchemaProps{ - Description: "The server group to assign the machine to. A server group with that name will be created if it does not exist. If both ServerGroupID and ServerGroupName are non-empty, they must refer to the same OpenStack resource.", + Description: "availabilityZone specifies the Cinder availability zone where the root volume will be created. If not specifified, the root volume will be created in the availability zone specified by the volume type in the cinder configuration. If the volume type (configured in the OpenStack cluster) does not specify an availability zone, the root volume will be created in the default availability zone specified in the cinder configuration. See https://docs.openstack.org/cinder/latest/admin/availability-zone-type.html for more details. If the OpenStack cluster is deployed with the cross_az_attach configuration option set to false, the root volume will have to be in the same availability zone as the VM (defined by OpenStackFailureDomain.AvailabilityZone). Availability zone names must NOT contain spaces otherwise it will lead to volume that belongs to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for further information. The maximum length of availability zone name is 63 as per labels limits.", Type: []string{"string"}, Format: "", }, }, - "primarySubnet": { + "volumeType": { SchemaProps: spec.SchemaProps{ - Description: "The subnet that a set of machines will get ingress/egress traffic from Deprecated: primarySubnet is silently ignored. Use subnets instead.", + Description: "volumeType specifies the type of the root volume that will be provisioned. The maximum length of a volume type name is 255 characters, as per the OpenStack limit.", + Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"cloudsSecret", "cloudName", "flavor", "image"}, + Required: []string{"volumeType"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1alpha1.AdditionalBlockDevice", "github.com/openshift/api/machine/v1alpha1.NetworkParam", "github.com/openshift/api/machine/v1alpha1.PortOpts", "github.com/openshift/api/machine/v1alpha1.RootVolume", "github.com/openshift/api/machine/v1alpha1.SecurityGroupParam", "k8s.io/api/core/v1.SecretReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1alpha1_PortOpts(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1_SystemDiskProperties(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "SystemDiskProperties contains the information regarding the system disk including performance, size, name, and category", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "networkID": { + "category": { SchemaProps: spec.SchemaProps{ - Description: "networkID is the ID of the network the port will be created in. It is required.", - Default: "", + Description: "category is the category of the system disk. Valid values: cloud_essd: ESSD. When the parameter is set to this value, you can use the SystemDisk.PerformanceLevel parameter to specify the performance level of the disk. cloud_efficiency: ultra disk. cloud_ssd: standard SSD. cloud: basic disk. Empty value means no opinion and the platform chooses the a default, which is subject to change over time. Currently for non-I/O optimized instances of retired instance types, the default is `cloud`. Currently for other instances, the default is `cloud_efficiency`.", Type: []string{"string"}, Format: "", }, }, - "nameSuffix": { + "performanceLevel": { SchemaProps: spec.SchemaProps{ - Description: "If nameSuffix is specified the created port will be named -. If not specified the port will be named -.", + Description: "performanceLevel is the performance level of the ESSD used as the system disk. Valid values:\n\nPL0: A single ESSD can deliver up to 10,000 random read/write IOPS. PL1: A single ESSD can deliver up to 50,000 random read/write IOPS. PL2: A single ESSD can deliver up to 100,000 random read/write IOPS. PL3: A single ESSD can deliver up to 1,000,000 random read/write IOPS. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is `PL1`. For more information about ESSD performance levels, see ESSDs.", Type: []string{"string"}, Format: "", }, }, - "description": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "description specifies the description of the created port.", + Description: "name is the name of the system disk. If the name is specified the name must be 2 to 128 characters in length. It must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-). Empty value means the platform chooses a default, which is subject to change over time. Currently the default is `\"\"`.", Type: []string{"string"}, Format: "", }, }, - "adminStateUp": { + "size": { SchemaProps: spec.SchemaProps{ - Description: "adminStateUp sets the administrative state of the created port to up (true), or down (false).", - Type: []string{"boolean"}, - Format: "", + Description: "size is the size of the system disk. Unit: GiB. Valid values: 20 to 500. The value must be at least 20 and greater than or equal to the size of the image. Empty value means the platform chooses a default, which is subject to change over time. Currently the default is `40` or the size of the image depending on whichever is greater.", + Type: []string{"integer"}, + Format: "int64", }, }, - "macAddress": { + }, + }, + }, + } +} + +func schema_openshift_api_machine_v1_Tag(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Tag The tags of ECS Instance", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "Key": { SchemaProps: spec.SchemaProps{ - Description: "macAddress specifies the MAC address of the created port.", + Description: "Key is the name of the key pair", + Default: "", Type: []string{"string"}, Format: "", }, }, - "fixedIPs": { - SchemaProps: spec.SchemaProps{ - Description: "fixedIPs specifies a set of fixed IPs to assign to the port. They must all be valid for the port's network.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1alpha1.FixedIPs"), - }, - }, - }, - }, - }, - "tenantID": { + "Value": { SchemaProps: spec.SchemaProps{ - Description: "tenantID specifies the tenant ID of the created port. Note that this requires OpenShift to have administrative permissions, which is typically not the case. Use of this field is not recommended. Deprecated: tenantID is silently ignored.", + Description: "Value is the value or data of the key pair", + Default: "", Type: []string{"string"}, Format: "", }, }, - "projectID": { + }, + Required: []string{"Key", "Value"}, + }, + }, + } +} + +func schema_openshift_api_machine_v1_VSphereFailureDomain(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "VSphereFailureDomain configures failure domain information for the vSphere platform", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { SchemaProps: spec.SchemaProps{ - Description: "projectID specifies the project ID of the created port. Note that this requires OpenShift to have administrative permissions, which is typically not the case. Use of this field is not recommended. Deprecated: projectID is silently ignored.", + Description: "name of the failure domain in which the vSphere machine provider will create the VM. Failure domains are defined in a cluster's config.openshift.io/Infrastructure resource. When balancing machines across failure domains, the control plane machine set will inject configuration from the Infrastructure resource into the machine providerSpec to allocate the machine to a failure domain.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "securityGroups": { + }, + Required: []string{"name"}, + }, + }, + } +} + +func schema_openshift_api_machine_v1alpha1_AdditionalBlockDevice(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "additionalBlockDevice is a block device to attach to the server.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { SchemaProps: spec.SchemaProps{ - Description: "securityGroups specifies a set of security group UUIDs to use instead of the machine's default security groups. The default security groups will be used if this is left empty or not specified.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "name of the block device in the context of a machine. If the block device is a volume, the Cinder volume will be named as a combination of the machine name and this name. Also, this name will be used for tagging the block device. Information about the block device tag can be obtained from the OpenStack metadata API or the config drive.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "allowedAddressPairs": { + "sizeGiB": { SchemaProps: spec.SchemaProps{ - Description: "allowedAddressPairs specifies a set of allowed address pairs to add to the port.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1alpha1.AddressPair"), - }, - }, - }, + Description: "sizeGiB is the size of the block device in gibibytes (GiB).", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "tags": { + "storage": { SchemaProps: spec.SchemaProps{ - Description: "tags species a set of tags to add to the port.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "storage specifies the storage type of the block device and additional storage options.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1alpha1.BlockDeviceStorage"), }, }, - "vnicType": { + }, + Required: []string{"name", "sizeGiB", "storage"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1alpha1.BlockDeviceStorage"}, + } +} + +func schema_openshift_api_machine_v1alpha1_AddressPair(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "ipAddress": { SchemaProps: spec.SchemaProps{ - Description: "The virtual network interface card (vNIC) type that is bound to the neutron port.", - Type: []string{"string"}, - Format: "", + Type: []string{"string"}, + Format: "", }, }, - "profile": { + "macAddress": { SchemaProps: spec.SchemaProps{ - Description: "A dictionary that enables the application running on the specified host to pass and receive virtual network interface (VIF) port-specific information to the plug-in.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Type: []string{"string"}, + Format: "", }, }, - "portSecurity": { + }, + }, + }, + } +} + +func schema_openshift_api_machine_v1alpha1_BlockDeviceStorage(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "blockDeviceStorage is the storage type of a block device to create and contains additional storage options.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { SchemaProps: spec.SchemaProps{ - Description: "enable or disable security on a given port incompatible with securityGroups and allowedAddressPairs", - Type: []string{"boolean"}, + Description: "type is the type of block device to create. This can be either \"Volume\" or \"Local\".", + Default: "", + Type: []string{"string"}, Format: "", }, }, - "trunk": { + "volume": { SchemaProps: spec.SchemaProps{ - Description: "Enables and disables trunk at port level. If not provided, openStackMachine.Spec.Trunk is inherited.", - Type: []string{"boolean"}, - Format: "", + Description: "volume contains additional storage options for a volume block device.", + Ref: ref("github.com/openshift/api/machine/v1alpha1.BlockDeviceVolume"), }, }, - "hostID": { - SchemaProps: spec.SchemaProps{ - Description: "The ID of the host where the port is allocated. Do not use this field: it cannot be used correctly. Deprecated: hostID is silently ignored. It will be removed with no replacement.", - Type: []string{"string"}, - Format: "", + }, + Required: []string{"type"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "type", + "fields-to-discriminateBy": map[string]interface{}{ + "volume": "Volume", + }, }, }, }, - Required: []string{"networkID"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1alpha1.AddressPair", "github.com/openshift/api/machine/v1alpha1.FixedIPs"}, + "github.com/openshift/api/machine/v1alpha1.BlockDeviceVolume"}, } } -func schema_openshift_api_machine_v1alpha1_RootVolume(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1alpha1_BlockDeviceVolume(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "blockDeviceVolume contains additional storage options for a volume block device.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "sourceUUID": { - SchemaProps: spec.SchemaProps{ - Description: "sourceUUID specifies the UUID of a glance image used to populate the root volume. Deprecated: set image in the platform spec instead. This will be ignored if image is set in the platform spec.", - Type: []string{"string"}, - Format: "", - }, - }, - "volumeType": { + "type": { SchemaProps: spec.SchemaProps{ - Description: "volumeType specifies a volume type to use when creating the root volume. If not specified the default volume type will be used.", + Description: "type is the Cinder volume type of the volume. If omitted, the default Cinder volume type that is configured in the OpenStack cloud will be used.", Type: []string{"string"}, Format: "", }, }, - "diskSize": { - SchemaProps: spec.SchemaProps{ - Description: "diskSize specifies the size, in GiB, of the created root volume.", - Type: []string{"integer"}, - Format: "int32", - }, - }, "availabilityZone": { SchemaProps: spec.SchemaProps{ - Description: "availabilityZone specifies the Cinder availability where the root volume will be created.", - Type: []string{"string"}, - Format: "", - }, - }, - "sourceType": { - SchemaProps: spec.SchemaProps{ - Description: "Deprecated: sourceType will be silently ignored. There is no replacement.", - Type: []string{"string"}, - Format: "", - }, - }, - "deviceType": { - SchemaProps: spec.SchemaProps{ - Description: "Deprecated: deviceType will be silently ignored. There is no replacement.", + Description: "availabilityZone is the volume availability zone to create the volume in. If omitted, the availability zone of the server will be used. The availability zone must NOT contain spaces otherwise it will lead to volume that belongs to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for further information.", Type: []string{"string"}, Format: "", }, @@ -36217,7 +37243,7 @@ func schema_openshift_api_machine_v1alpha1_RootVolume(ref common.ReferenceCallba } } -func schema_openshift_api_machine_v1alpha1_SecurityGroupFilter(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1alpha1_Filter(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ @@ -36225,72 +37251,86 @@ func schema_openshift_api_machine_v1alpha1_SecurityGroupFilter(ref common.Refere Properties: map[string]spec.Schema{ "id": { SchemaProps: spec.SchemaProps{ - Description: "id specifies the ID of a security group to use. If set, id will not be validated before use. An invalid id will result in failure to create a server with an appropriate error message.", + Description: "Deprecated: use NetworkParam.uuid instead. Ignored if NetworkParam.uuid is set.", Type: []string{"string"}, Format: "", }, }, "name": { SchemaProps: spec.SchemaProps{ - Description: "name filters security groups by name.", + Description: "name filters networks by name.", Type: []string{"string"}, Format: "", }, }, "description": { SchemaProps: spec.SchemaProps{ - Description: "description filters security groups by description.", + Description: "description filters networks by description.", Type: []string{"string"}, Format: "", }, }, "tenantId": { SchemaProps: spec.SchemaProps{ - Description: "tenantId filters security groups by tenant ID. Deprecated: use projectId instead. tenantId will be ignored if projectId is set.", + Description: "tenantId filters networks by tenant ID. Deprecated: use projectId instead. tenantId will be ignored if projectId is set.", Type: []string{"string"}, Format: "", }, }, "projectId": { SchemaProps: spec.SchemaProps{ - Description: "projectId filters security groups by project ID.", + Description: "projectId filters networks by project ID.", Type: []string{"string"}, Format: "", }, }, "tags": { SchemaProps: spec.SchemaProps{ - Description: "tags filters by security groups containing all specified tags. Multiple tags are comma separated.", + Description: "tags filters by networks containing all specified tags. Multiple tags are comma separated.", Type: []string{"string"}, Format: "", }, }, "tagsAny": { SchemaProps: spec.SchemaProps{ - Description: "tagsAny filters by security groups containing any specified tags. Multiple tags are comma separated.", + Description: "tagsAny filters by networks containing any specified tags. Multiple tags are comma separated.", Type: []string{"string"}, Format: "", }, }, "notTags": { SchemaProps: spec.SchemaProps{ - Description: "notTags filters by security groups which don't match all specified tags. NOT (t1 AND t2...) Multiple tags are comma separated.", + Description: "notTags filters by networks which don't match all specified tags. NOT (t1 AND t2...) Multiple tags are comma separated.", Type: []string{"string"}, Format: "", }, }, "notTagsAny": { SchemaProps: spec.SchemaProps{ - Description: "notTagsAny filters by security groups which don't match any specified tags. NOT (t1 OR t2...) Multiple tags are comma separated.", + Description: "notTagsAny filters by networks which don't match any specified tags. NOT (t1 OR t2...) Multiple tags are comma separated.", Type: []string{"string"}, Format: "", }, }, - "limit": { + "status": { SchemaProps: spec.SchemaProps{ - Description: "Deprecated: limit is silently ignored. It has no replacement.", - Type: []string{"integer"}, - Format: "int32", + Description: "Deprecated: status is silently ignored. It has no replacement.", + Type: []string{"string"}, + Format: "", + }, + }, + "adminStateUp": { + SchemaProps: spec.SchemaProps{ + Description: "Deprecated: adminStateUp is silently ignored. It has no replacement.", + Type: []string{"boolean"}, + Format: "", + }, + }, + "shared": { + SchemaProps: spec.SchemaProps{ + Description: "Deprecated: shared is silently ignored. It has no replacement.", + Type: []string{"boolean"}, + Format: "", }, }, "marker": { @@ -36300,6 +37340,13 @@ func schema_openshift_api_machine_v1alpha1_SecurityGroupFilter(ref common.Refere Format: "", }, }, + "limit": { + SchemaProps: spec.SchemaProps{ + Description: "Deprecated: limit is silently ignored. It has no replacement.", + Type: []string{"integer"}, + Format: "int32", + }, + }, "sortKey": { SchemaProps: spec.SchemaProps{ Description: "Deprecated: sortKey is silently ignored. It has no replacement.", @@ -36320,223 +37367,279 @@ func schema_openshift_api_machine_v1alpha1_SecurityGroupFilter(ref common.Refere } } -func schema_openshift_api_machine_v1alpha1_SecurityGroupParam(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1alpha1_FixedIPs(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ Type: []string{"object"}, Properties: map[string]spec.Schema{ - "uuid": { + "subnetID": { SchemaProps: spec.SchemaProps{ - Description: "Security Group UUID", + Description: "subnetID specifies the ID of the subnet where the fixed IP will be allocated.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "name": { + "ipAddress": { SchemaProps: spec.SchemaProps{ - Description: "Security Group name", + Description: "ipAddress is a specific IP address to use in the given subnet. Port creation will fail if the address is not available. If not specified, an available IP from the given subnet will be selected automatically.", Type: []string{"string"}, Format: "", }, }, - "filter": { - SchemaProps: spec.SchemaProps{ - Description: "Filters used to query security groups in openstack", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1alpha1.SecurityGroupFilter"), - }, - }, }, + Required: []string{"subnetID"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1alpha1.SecurityGroupFilter"}, } } -func schema_openshift_api_machine_v1alpha1_SubnetFilter(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1alpha1_NetworkParam(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ Type: []string{"object"}, Properties: map[string]spec.Schema{ - "id": { + "uuid": { SchemaProps: spec.SchemaProps{ - Description: "id is the uuid of a specific subnet to use. If specified, id will not be validated. Instead server creation will fail with an appropriate error.", + Description: "The UUID of the network. Required if you omit the port attribute.", Type: []string{"string"}, Format: "", }, }, - "name": { + "fixedIp": { SchemaProps: spec.SchemaProps{ - Description: "name filters subnets by name.", + Description: "A fixed IPv4 address for the NIC. Deprecated: fixedIP is silently ignored. Use subnets instead.", Type: []string{"string"}, Format: "", }, }, - "description": { + "filter": { SchemaProps: spec.SchemaProps{ - Description: "description filters subnets by description.", - Type: []string{"string"}, - Format: "", + Description: "Filters for optional network query", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1alpha1.Filter"), }, }, - "networkId": { + "subnets": { SchemaProps: spec.SchemaProps{ - Description: "Deprecated: networkId is silently ignored. Set uuid on the containing network definition instead.", - Type: []string{"string"}, - Format: "", + Description: "Subnet within a network to use", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1alpha1.SubnetParam"), + }, + }, + }, }, }, - "tenantId": { + "noAllowedAddressPairs": { SchemaProps: spec.SchemaProps{ - Description: "tenantId filters subnets by tenant ID. Deprecated: use projectId instead. tenantId will be ignored if projectId is set.", - Type: []string{"string"}, + Description: "noAllowedAddressPairs disables creation of allowed address pairs for the network ports", + Type: []string{"boolean"}, Format: "", }, }, - "projectId": { + "portTags": { SchemaProps: spec.SchemaProps{ - Description: "projectId filters subnets by project ID.", + Description: "portTags allows users to specify a list of tags to add to ports created in a given network", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "vnicType": { + SchemaProps: spec.SchemaProps{ + Description: "The virtual network interface card (vNIC) type that is bound to the neutron port.", Type: []string{"string"}, Format: "", }, }, - "ipVersion": { + "profile": { SchemaProps: spec.SchemaProps{ - Description: "ipVersion filters subnets by IP version.", - Type: []string{"integer"}, - Format: "int32", + Description: "A dictionary that enables the application running on the specified host to pass and receive virtual network interface (VIF) port-specific information to the plug-in.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "gateway_ip": { + "portSecurity": { SchemaProps: spec.SchemaProps{ - Description: "gateway_ip filters subnets by gateway IP.", - Type: []string{"string"}, + Description: "portSecurity optionally enables or disables security on ports managed by OpenStack", + Type: []string{"boolean"}, Format: "", }, }, - "cidr": { + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1alpha1.Filter", "github.com/openshift/api/machine/v1alpha1.SubnetParam"}, + } +} + +func schema_openshift_api_machine_v1alpha1_OpenstackProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "OpenstackProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field for an OpenStack Instance. It is used by the Openstack machine actuator to create a single machine instance. Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { SchemaProps: spec.SchemaProps{ - Description: "cidr filters subnets by CIDR.", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "ipv6AddressMode": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "ipv6AddressMode filters subnets by IPv6 address mode.", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - "ipv6RaMode": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "ipv6RaMode filters subnets by IPv6 router adversiement mode.", - Type: []string{"string"}, - Format: "", + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, - "subnetpoolId": { + "cloudsSecret": { SchemaProps: spec.SchemaProps{ - Description: "subnetpoolId filters subnets by subnet pool ID. Deprecated: subnetpoolId is silently ignored.", + Description: "The name of the secret containing the openstack credentials", + Ref: ref("k8s.io/api/core/v1.SecretReference"), + }, + }, + "cloudName": { + SchemaProps: spec.SchemaProps{ + Description: "The name of the cloud to use from the clouds secret", + Default: "", Type: []string{"string"}, Format: "", }, }, - "tags": { + "flavor": { SchemaProps: spec.SchemaProps{ - Description: "tags filters by subnets containing all specified tags. Multiple tags are comma separated.", + Description: "The flavor reference for the flavor for your server instance.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "tagsAny": { + "image": { SchemaProps: spec.SchemaProps{ - Description: "tagsAny filters by subnets containing any specified tags. Multiple tags are comma separated.", + Description: "The name of the image to use for your server instance. If the RootVolume is specified, this will be ignored and use rootVolume directly.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "notTags": { + "keyName": { SchemaProps: spec.SchemaProps{ - Description: "notTags filters by subnets which don't match all specified tags. NOT (t1 AND t2...) Multiple tags are comma separated.", + Description: "The ssh key to inject in the instance", Type: []string{"string"}, Format: "", }, }, - "notTagsAny": { + "sshUserName": { SchemaProps: spec.SchemaProps{ - Description: "notTagsAny filters by subnets which don't match any specified tags. NOT (t1 OR t2...) Multiple tags are comma separated.", + Description: "The machine ssh username Deprecated: sshUserName is silently ignored.", Type: []string{"string"}, Format: "", }, }, - "enableDhcp": { + "networks": { SchemaProps: spec.SchemaProps{ - Description: "Deprecated: enableDhcp is silently ignored. It has no replacement.", - Type: []string{"boolean"}, - Format: "", + Description: "A networks object. Required parameter when there are multiple networks defined for the tenant. When you do not specify the networks parameter, the server attaches to the only network created for the current tenant.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1alpha1.NetworkParam"), + }, + }, + }, }, }, - "limit": { + "ports": { SchemaProps: spec.SchemaProps{ - Description: "Deprecated: limit is silently ignored. It has no replacement.", - Type: []string{"integer"}, - Format: "int32", + Description: "Create and assign additional ports to instances", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1alpha1.PortOpts"), + }, + }, + }, }, }, - "marker": { + "floatingIP": { SchemaProps: spec.SchemaProps{ - Description: "Deprecated: marker is silently ignored. It has no replacement.", + Description: "floatingIP specifies a floating IP to be associated with the machine. Note that it is not safe to use this parameter in a MachineSet, as only one Machine may be assigned the same floating IP.\n\nDeprecated: floatingIP will be removed in a future release as it cannot be implemented correctly.", Type: []string{"string"}, Format: "", }, }, - "sortKey": { + "availabilityZone": { SchemaProps: spec.SchemaProps{ - Description: "Deprecated: sortKey is silently ignored. It has no replacement.", + Description: "The availability zone from which to launch the server.", Type: []string{"string"}, Format: "", }, }, - "sortDir": { + "securityGroups": { SchemaProps: spec.SchemaProps{ - Description: "Deprecated: sortDir is silently ignored. It has no replacement.", - Type: []string{"string"}, - Format: "", + Description: "The names of the security groups to assign to the instance", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1alpha1.SecurityGroupParam"), + }, + }, + }, }, }, - }, - }, - }, - } -} - -func schema_openshift_api_machine_v1alpha1_SubnetParam(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "uuid": { + "userDataSecret": { SchemaProps: spec.SchemaProps{ - Description: "The UUID of the network. Required if you omit the port attribute.", - Type: []string{"string"}, - Format: "", + Description: "The name of the secret containing the user data (startup script in most cases)", + Ref: ref("k8s.io/api/core/v1.SecretReference"), }, }, - "filter": { + "trunk": { SchemaProps: spec.SchemaProps{ - Description: "Filters for optional network query", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1alpha1.SubnetFilter"), + Description: "Whether the server instance is created on a trunk port or not.", + Type: []string{"boolean"}, + Format: "", }, }, - "portTags": { + "tags": { SchemaProps: spec.SchemaProps{ - Description: "portTags are tags that are added to ports created on this subnet", + Description: "Machine tags Requires Nova api 2.52 minimum!", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -36549,770 +37652,660 @@ func schema_openshift_api_machine_v1alpha1_SubnetParam(ref common.ReferenceCallb }, }, }, - "portSecurity": { + "serverMetadata": { SchemaProps: spec.SchemaProps{ - Description: "portSecurity optionally enables or disables security on ports managed by OpenStack Deprecated: portSecurity is silently ignored. Set portSecurity on the parent network instead.", + Description: "Metadata mapping. Allows you to create a map of key value pairs to add to the server instance.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "configDrive": { + SchemaProps: spec.SchemaProps{ + Description: "Config Drive support", Type: []string{"boolean"}, Format: "", }, }, + "rootVolume": { + SchemaProps: spec.SchemaProps{ + Description: "The volume metadata to boot from", + Ref: ref("github.com/openshift/api/machine/v1alpha1.RootVolume"), + }, + }, + "additionalBlockDevices": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "additionalBlockDevices is a list of specifications for additional block devices to attach to the server instance", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1alpha1.AdditionalBlockDevice"), + }, + }, + }, + }, + }, + "serverGroupID": { + SchemaProps: spec.SchemaProps{ + Description: "The server group to assign the machine to.", + Type: []string{"string"}, + Format: "", + }, + }, + "serverGroupName": { + SchemaProps: spec.SchemaProps{ + Description: "The server group to assign the machine to. A server group with that name will be created if it does not exist. If both ServerGroupID and ServerGroupName are non-empty, they must refer to the same OpenStack resource.", + Type: []string{"string"}, + Format: "", + }, + }, + "primarySubnet": { + SchemaProps: spec.SchemaProps{ + Description: "The subnet that a set of machines will get ingress/egress traffic from Deprecated: primarySubnet is silently ignored. Use subnets instead.", + Type: []string{"string"}, + Format: "", + }, + }, }, + Required: []string{"cloudsSecret", "cloudName", "flavor", "image"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1alpha1.SubnetFilter"}, + "github.com/openshift/api/machine/v1alpha1.AdditionalBlockDevice", "github.com/openshift/api/machine/v1alpha1.NetworkParam", "github.com/openshift/api/machine/v1alpha1.PortOpts", "github.com/openshift/api/machine/v1alpha1.RootVolume", "github.com/openshift/api/machine/v1alpha1.SecurityGroupParam", "k8s.io/api/core/v1.SecretReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1beta1_AWSMachineProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1alpha1_PortOpts(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AWSMachineProviderConfig is the Schema for the awsmachineproviderconfigs API Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "networkID": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "networkID is the ID of the network the port will be created in. It is required.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "nameSuffix": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "If nameSuffix is specified the created port will be named -. If not specified the port will be named -.", Type: []string{"string"}, Format: "", }, }, - "metadata": { + "description": { SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + Description: "description specifies the description of the created port.", + Type: []string{"string"}, + Format: "", }, }, - "ami": { + "adminStateUp": { SchemaProps: spec.SchemaProps{ - Description: "ami is the reference to the AMI from which to create the machine instance.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.AWSResourceReference"), + Description: "adminStateUp sets the administrative state of the created port to up (true), or down (false).", + Type: []string{"boolean"}, + Format: "", }, }, - "instanceType": { + "macAddress": { SchemaProps: spec.SchemaProps{ - Description: "instanceType is the type of instance to create. Example: m4.xlarge", - Default: "", + Description: "macAddress specifies the MAC address of the created port.", Type: []string{"string"}, Format: "", }, }, - "tags": { + "fixedIPs": { SchemaProps: spec.SchemaProps{ - Description: "tags is the set of tags to add to apply to an instance, in addition to the ones added by default by the actuator. These tags are additive. The actuator will ensure these tags are present, but will not remove any other tags that may exist on the instance.", + Description: "fixedIPs specifies a set of fixed IPs to assign to the port. They must all be valid for the port's network.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.TagSpecification"), + Ref: ref("github.com/openshift/api/machine/v1alpha1.FixedIPs"), }, }, }, }, }, - "iamInstanceProfile": { - SchemaProps: spec.SchemaProps{ - Description: "iamInstanceProfile is a reference to an IAM role to assign to the instance", - Ref: ref("github.com/openshift/api/machine/v1beta1.AWSResourceReference"), - }, - }, - "userDataSecret": { - SchemaProps: spec.SchemaProps{ - Description: "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", - Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), - }, - }, - "credentialsSecret": { - SchemaProps: spec.SchemaProps{ - Description: "credentialsSecret is a reference to the secret with AWS credentials. Otherwise, defaults to permissions provided by attached IAM role where the actuator is running.", - Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), - }, - }, - "keyName": { + "tenantID": { SchemaProps: spec.SchemaProps{ - Description: "keyName is the name of the KeyPair to use for SSH", + Description: "tenantID specifies the tenant ID of the created port. Note that this requires OpenShift to have administrative permissions, which is typically not the case. Use of this field is not recommended. Deprecated: tenantID is silently ignored.", Type: []string{"string"}, Format: "", }, }, - "deviceIndex": { - SchemaProps: spec.SchemaProps{ - Description: "deviceIndex is the index of the device on the instance for the network interface attachment. Defaults to 0.", - Default: 0, - Type: []string{"integer"}, - Format: "int64", - }, - }, - "publicIp": { - SchemaProps: spec.SchemaProps{ - Description: "publicIp specifies whether the instance should get a public IP. If not present, it should use the default of its subnet.", - Type: []string{"boolean"}, - Format: "", - }, - }, - "networkInterfaceType": { + "projectID": { SchemaProps: spec.SchemaProps{ - Description: "networkInterfaceType specifies the type of network interface to be used for the primary network interface. Valid values are \"ENA\", \"EFA\", and omitted, which means no opinion and the platform chooses a good default which may change over time. The current default value is \"ENA\". Please visit https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/efa.html to learn more about the AWS Elastic Fabric Adapter interface option.", + Description: "projectID specifies the project ID of the created port. Note that this requires OpenShift to have administrative permissions, which is typically not the case. Use of this field is not recommended. Deprecated: projectID is silently ignored.", Type: []string{"string"}, Format: "", }, }, "securityGroups": { SchemaProps: spec.SchemaProps{ - Description: "securityGroups is an array of references to security groups that should be applied to the instance.", + Description: "securityGroups specifies a set of security group UUIDs to use instead of the machine's default security groups. The default security groups will be used if this is left empty or not specified.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.AWSResourceReference"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "subnet": { - SchemaProps: spec.SchemaProps{ - Description: "subnet is a reference to the subnet to use for this instance", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.AWSResourceReference"), - }, - }, - "placement": { - SchemaProps: spec.SchemaProps{ - Description: "placement specifies where to create the instance in AWS", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.Placement"), - }, - }, - "loadBalancers": { + "allowedAddressPairs": { SchemaProps: spec.SchemaProps{ - Description: "loadBalancers is the set of load balancers to which the new instance should be added once it is created.", + Description: "allowedAddressPairs specifies a set of allowed address pairs to add to the port.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.LoadBalancerReference"), + Ref: ref("github.com/openshift/api/machine/v1alpha1.AddressPair"), }, }, }, }, }, - "blockDevices": { + "tags": { SchemaProps: spec.SchemaProps{ - Description: "blockDevices is the set of block device mapping associated to this instance, block device without a name will be used as a root device and only one device without a name is allowed https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html", + Description: "tags species a set of tags to add to the port.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.BlockDeviceMappingSpec"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "spotMarketOptions": { + "vnicType": { SchemaProps: spec.SchemaProps{ - Description: "spotMarketOptions allows users to configure instances to be run using AWS Spot instances.", - Ref: ref("github.com/openshift/api/machine/v1beta1.SpotMarketOptions"), + Description: "The virtual network interface card (vNIC) type that is bound to the neutron port.", + Type: []string{"string"}, + Format: "", }, }, - "metadataServiceOptions": { + "profile": { SchemaProps: spec.SchemaProps{ - Description: "metadataServiceOptions allows users to configure instance metadata service interaction options. If nothing specified, default AWS IMDS settings will be applied. https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.MetadataServiceOptions"), + Description: "A dictionary that enables the application running on the specified host to pass and receive virtual network interface (VIF) port-specific information to the plug-in.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "placementGroupName": { + "portSecurity": { SchemaProps: spec.SchemaProps{ - Description: "placementGroupName specifies the name of the placement group in which to launch the instance. The placement group must already be created and may use any placement strategy. When omitted, no placement group is used when creating the EC2 instance.", - Type: []string{"string"}, + Description: "enable or disable security on a given port incompatible with securityGroups and allowedAddressPairs", + Type: []string{"boolean"}, Format: "", }, }, - "placementGroupPartition": { - SchemaProps: spec.SchemaProps{ - Description: "placementGroupPartition is the partition number within the placement group in which to launch the instance. This must be an integer value between 1 and 7. It is only valid if the placement group, referred in `PlacementGroupName` was created with strategy set to partition.", - Type: []string{"integer"}, - Format: "int32", - }, - }, - "capacityReservationId": { + "trunk": { SchemaProps: spec.SchemaProps{ - Description: "capacityReservationId specifies the target Capacity Reservation into which the instance should be launched. The field size should be greater than 0 and the field input must start with cr-***", - Default: "", - Type: []string{"string"}, + Description: "Enables and disables trunk at port level. If not provided, openStackMachine.Spec.Trunk is inherited.", + Type: []string{"boolean"}, Format: "", }, }, - "marketType": { + "hostID": { SchemaProps: spec.SchemaProps{ - Description: "marketType specifies the type of market for the EC2 instance. Valid values are OnDemand, Spot, CapacityBlock and omitted.\n\nDefaults to OnDemand. When SpotMarketOptions is provided, the marketType defaults to \"Spot\".\n\nWhen set to OnDemand the instance runs as a standard OnDemand instance. When set to Spot the instance runs as a Spot instance. When set to CapacityBlock the instance utilizes pre-purchased compute capacity (capacity blocks) with AWS Capacity Reservations. If this value is selected, capacityReservationID must be specified to identify the target reservation.", + Description: "The ID of the host where the port is allocated. Do not use this field: it cannot be used correctly. Deprecated: hostID is silently ignored. It will be removed with no replacement.", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"ami", "instanceType", "deviceIndex", "subnet", "placement"}, + Required: []string{"networkID"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.AWSResourceReference", "github.com/openshift/api/machine/v1beta1.BlockDeviceMappingSpec", "github.com/openshift/api/machine/v1beta1.LoadBalancerReference", "github.com/openshift/api/machine/v1beta1.MetadataServiceOptions", "github.com/openshift/api/machine/v1beta1.Placement", "github.com/openshift/api/machine/v1beta1.SpotMarketOptions", "github.com/openshift/api/machine/v1beta1.TagSpecification", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/machine/v1alpha1.AddressPair", "github.com/openshift/api/machine/v1alpha1.FixedIPs"}, } } -func schema_openshift_api_machine_v1beta1_AWSMachineProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1alpha1_RootVolume(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AWSMachineProviderConfigList contains a list of AWSMachineProviderConfig Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "sourceUUID": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "sourceUUID specifies the UUID of a glance image used to populate the root volume. Deprecated: set image in the platform spec instead. This will be ignored if image is set in the platform spec.", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "volumeType": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "volumeType specifies a volume type to use when creating the root volume. If not specified the default volume type will be used.", Type: []string{"string"}, Format: "", }, }, - "metadata": { + "diskSize": { SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + Description: "diskSize specifies the size, in GiB, of the created root volume.", + Type: []string{"integer"}, + Format: "int32", }, }, - "items": { + "availabilityZone": { SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.AWSMachineProviderConfig"), - }, - }, - }, + Description: "availabilityZone specifies the Cinder availability where the root volume will be created.", + Type: []string{"string"}, + Format: "", + }, + }, + "sourceType": { + SchemaProps: spec.SchemaProps{ + Description: "Deprecated: sourceType will be silently ignored. There is no replacement.", + Type: []string{"string"}, + Format: "", + }, + }, + "deviceType": { + SchemaProps: spec.SchemaProps{ + Description: "Deprecated: deviceType will be silently ignored. There is no replacement.", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"items"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.AWSMachineProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_machine_v1beta1_AWSMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1alpha1_SecurityGroupFilter(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AWSMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains AWS-specific status information. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "id": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "id specifies the ID of a security group to use. If set, id will not be validated before use. An invalid id will result in failure to create a server with an appropriate error message.", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "name filters security groups by name.", Type: []string{"string"}, Format: "", }, }, - "instanceId": { + "description": { SchemaProps: spec.SchemaProps{ - Description: "instanceId is the instance ID of the machine created in AWS", + Description: "description filters security groups by description.", Type: []string{"string"}, Format: "", }, }, - "instanceState": { + "tenantId": { SchemaProps: spec.SchemaProps{ - Description: "instanceState is the state of the AWS instance for this machine", + Description: "tenantId filters security groups by tenant ID. Deprecated: use projectId instead. tenantId will be ignored if projectId is set.", Type: []string{"string"}, Format: "", }, }, - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - }, - }, + "projectId": { SchemaProps: spec.SchemaProps{ - Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), - }, - }, - }, + Description: "projectId filters security groups by project ID.", + Type: []string{"string"}, + Format: "", }, }, - }, - }, - }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, - } -} - -func schema_openshift_api_machine_v1beta1_AWSResourceReference(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "AWSResourceReference is a reference to a specific AWS resource by ID, ARN, or filters. Only one of ID, ARN or Filters may be specified. Specifying more than one will result in a validation error.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "id": { + "tags": { SchemaProps: spec.SchemaProps{ - Description: "id of resource", + Description: "tags filters by security groups containing all specified tags. Multiple tags are comma separated.", Type: []string{"string"}, Format: "", }, }, - "arn": { + "tagsAny": { SchemaProps: spec.SchemaProps{ - Description: "arn of resource", + Description: "tagsAny filters by security groups containing any specified tags. Multiple tags are comma separated.", Type: []string{"string"}, Format: "", }, }, - "filters": { + "notTags": { SchemaProps: spec.SchemaProps{ - Description: "filters is a set of filters used to identify a resource", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.Filter"), - }, - }, - }, + Description: "notTags filters by security groups which don't match all specified tags. NOT (t1 AND t2...) Multiple tags are comma separated.", + Type: []string{"string"}, + Format: "", }, }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.Filter"}, - } -} - -func schema_openshift_api_machine_v1beta1_AddressesFromPool(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "AddressesFromPool is an IPAddressPool that will be used to create IPAddressClaims for fulfillment by an external controller.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "group": { + "notTagsAny": { SchemaProps: spec.SchemaProps{ - Description: "group of the IP address pool type known to an external IPAM controller. This should be a fully qualified domain name, for example, externalipam.controller.io.", - Default: "", + Description: "notTagsAny filters by security groups which don't match any specified tags. NOT (t1 OR t2...) Multiple tags are comma separated.", Type: []string{"string"}, Format: "", }, }, - "resource": { + "limit": { SchemaProps: spec.SchemaProps{ - Description: "resource of the IP address pool type known to an external IPAM controller. It is normally the plural form of the resource kind in lowercase, for example, ippools.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "Deprecated: limit is silently ignored. It has no replacement.", + Type: []string{"integer"}, + Format: "int32", }, }, - "name": { + "marker": { SchemaProps: spec.SchemaProps{ - Description: "name of an IP address pool, for example, pool-config-1.", - Default: "", + Description: "Deprecated: marker is silently ignored. It has no replacement.", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"group", "resource", "name"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1beta1_AzureBootDiagnostics(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "AzureBootDiagnostics configures the boot diagnostics settings for the virtual machine. This allows you to configure capturing serial output from the virtual machine on boot. This is useful for debugging software based launch issues.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "storageAccountType": { + "sortKey": { SchemaProps: spec.SchemaProps{ - Description: "storageAccountType determines if the storage account for storing the diagnostics data should be provisioned by Azure (AzureManaged) or by the customer (CustomerManaged).", - Default: "", + Description: "Deprecated: sortKey is silently ignored. It has no replacement.", Type: []string{"string"}, Format: "", }, }, - "customerManaged": { + "sortDir": { SchemaProps: spec.SchemaProps{ - Description: "customerManaged provides reference to the customer manager storage account.", - Ref: ref("github.com/openshift/api/machine/v1beta1.AzureCustomerManagedBootDiagnostics"), - }, - }, - }, - Required: []string{"storageAccountType"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "storageAccountType", - "fields-to-discriminateBy": map[string]interface{}{ - "customerManaged": "CustomerManaged", - }, + Description: "Deprecated: sortDir is silently ignored. It has no replacement.", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.AzureCustomerManagedBootDiagnostics"}, } } -func schema_openshift_api_machine_v1beta1_AzureCustomerManagedBootDiagnostics(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1alpha1_SecurityGroupParam(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AzureCustomerManagedBootDiagnostics provides reference to a customer managed storage account.", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "storageAccountURI": { + "uuid": { SchemaProps: spec.SchemaProps{ - Description: "storageAccountURI is the URI of the customer managed storage account. The URI typically will be `https://.blob.core.windows.net/` but may differ if you are using Azure DNS zone endpoints. You can find the correct endpoint by looking for the Blob Primary Endpoint in the endpoints tab in the Azure console.", - Default: "", + Description: "Security Group UUID", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"storageAccountURI"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1beta1_AzureDiagnostics(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "AzureDiagnostics is used to configure the diagnostic settings of the virtual machine.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "boot": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "AzureBootDiagnostics configures the boot diagnostics settings for the virtual machine. This allows you to configure capturing serial output from the virtual machine on boot. This is useful for debugging software based launch issues.", - Ref: ref("github.com/openshift/api/machine/v1beta1.AzureBootDiagnostics"), + Description: "Security Group name", + Type: []string{"string"}, + Format: "", + }, + }, + "filter": { + SchemaProps: spec.SchemaProps{ + Description: "Filters used to query security groups in openstack", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1alpha1.SecurityGroupFilter"), }, }, }, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.AzureBootDiagnostics"}, + "github.com/openshift/api/machine/v1alpha1.SecurityGroupFilter"}, } } -func schema_openshift_api_machine_v1beta1_AzureMachineProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1alpha1_SubnetFilter(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AzureMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field for an Azure virtual machine. It is used by the Azure machine actuator to create a single Machine. Required parameters such as location that are not specified by this configuration, will be defaulted by the actuator. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "id": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "id is the uuid of a specific subnet to use. If specified, id will not be validated. Instead server creation will fail with an appropriate error.", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "name filters subnets by name.", Type: []string{"string"}, Format: "", }, }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), - }, - }, - "userDataSecret": { - SchemaProps: spec.SchemaProps{ - Description: "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", - Ref: ref("k8s.io/api/core/v1.SecretReference"), - }, - }, - "credentialsSecret": { - SchemaProps: spec.SchemaProps{ - Description: "credentialsSecret is a reference to the secret with Azure credentials.", - Ref: ref("k8s.io/api/core/v1.SecretReference"), - }, - }, - "location": { + "description": { SchemaProps: spec.SchemaProps{ - Description: "location is the region to use to create the instance", + Description: "description filters subnets by description.", Type: []string{"string"}, Format: "", }, }, - "vmSize": { + "networkId": { SchemaProps: spec.SchemaProps{ - Description: "vmSize is the size of the VM to create.", + Description: "Deprecated: networkId is silently ignored. Set uuid on the containing network definition instead.", Type: []string{"string"}, Format: "", }, }, - "image": { - SchemaProps: spec.SchemaProps{ - Description: "image is the OS image to use to create the instance.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.Image"), - }, - }, - "osDisk": { - SchemaProps: spec.SchemaProps{ - Description: "osDisk represents the parameters for creating the OS disk.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.OSDisk"), - }, - }, - "dataDisks": { - SchemaProps: spec.SchemaProps{ - Description: "DataDisk specifies the parameters that are used to add one or more data disks to the machine.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.DataDisk"), - }, - }, - }, - }, - }, - "sshPublicKey": { + "tenantId": { SchemaProps: spec.SchemaProps{ - Description: "sshPublicKey is the public key to use to SSH to the virtual machine.", + Description: "tenantId filters subnets by tenant ID. Deprecated: use projectId instead. tenantId will be ignored if projectId is set.", Type: []string{"string"}, Format: "", }, }, - "publicIP": { + "projectId": { SchemaProps: spec.SchemaProps{ - Description: "publicIP if true a public IP will be used", - Default: false, - Type: []string{"boolean"}, + Description: "projectId filters subnets by project ID.", + Type: []string{"string"}, Format: "", }, }, - "tags": { + "ipVersion": { SchemaProps: spec.SchemaProps{ - Description: "tags is a list of tags to apply to the machine.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "ipVersion filters subnets by IP version.", + Type: []string{"integer"}, + Format: "int32", }, }, - "securityGroup": { + "gateway_ip": { SchemaProps: spec.SchemaProps{ - Description: "Network Security Group that needs to be attached to the machine's interface. No security group will be attached if empty.", + Description: "gateway_ip filters subnets by gateway IP.", Type: []string{"string"}, Format: "", }, }, - "applicationSecurityGroups": { - SchemaProps: spec.SchemaProps{ - Description: "Application Security Groups that need to be attached to the machine's interface. No application security groups will be attached if zero-length.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "subnet": { + "cidr": { SchemaProps: spec.SchemaProps{ - Description: "subnet to use for this instance", - Default: "", + Description: "cidr filters subnets by CIDR.", Type: []string{"string"}, Format: "", }, }, - "publicLoadBalancer": { + "ipv6AddressMode": { SchemaProps: spec.SchemaProps{ - Description: "publicLoadBalancer to use for this instance", + Description: "ipv6AddressMode filters subnets by IPv6 address mode.", Type: []string{"string"}, Format: "", }, }, - "internalLoadBalancer": { + "ipv6RaMode": { SchemaProps: spec.SchemaProps{ - Description: "InternalLoadBalancerName to use for this instance", + Description: "ipv6RaMode filters subnets by IPv6 router adversiement mode.", Type: []string{"string"}, Format: "", }, }, - "natRule": { + "subnetpoolId": { SchemaProps: spec.SchemaProps{ - Description: "natRule to set inbound NAT rule of the load balancer", - Type: []string{"integer"}, - Format: "int64", + Description: "subnetpoolId filters subnets by subnet pool ID. Deprecated: subnetpoolId is silently ignored.", + Type: []string{"string"}, + Format: "", }, }, - "managedIdentity": { + "tags": { SchemaProps: spec.SchemaProps{ - Description: "managedIdentity to set managed identity name", + Description: "tags filters by subnets containing all specified tags. Multiple tags are comma separated.", Type: []string{"string"}, Format: "", }, }, - "vnet": { + "tagsAny": { SchemaProps: spec.SchemaProps{ - Description: "vnet to set virtual network name", + Description: "tagsAny filters by subnets containing any specified tags. Multiple tags are comma separated.", Type: []string{"string"}, Format: "", }, }, - "zone": { + "notTags": { SchemaProps: spec.SchemaProps{ - Description: "Availability Zone for the virtual machine. If nil, the virtual machine should be deployed to no zone", + Description: "notTags filters by subnets which don't match all specified tags. NOT (t1 AND t2...) Multiple tags are comma separated.", Type: []string{"string"}, Format: "", }, }, - "networkResourceGroup": { + "notTagsAny": { SchemaProps: spec.SchemaProps{ - Description: "networkResourceGroup is the resource group for the virtual machine's network", + Description: "notTagsAny filters by subnets which don't match any specified tags. NOT (t1 OR t2...) Multiple tags are comma separated.", Type: []string{"string"}, Format: "", }, }, - "resourceGroup": { + "enableDhcp": { SchemaProps: spec.SchemaProps{ - Description: "resourceGroup is the resource group for the virtual machine", - Type: []string{"string"}, + Description: "Deprecated: enableDhcp is silently ignored. It has no replacement.", + Type: []string{"boolean"}, Format: "", }, }, - "spotVMOptions": { + "limit": { SchemaProps: spec.SchemaProps{ - Description: "spotVMOptions allows the ability to specify the Machine should use a Spot VM", - Ref: ref("github.com/openshift/api/machine/v1beta1.SpotVMOptions"), + Description: "Deprecated: limit is silently ignored. It has no replacement.", + Type: []string{"integer"}, + Format: "int32", }, }, - "securityProfile": { + "marker": { SchemaProps: spec.SchemaProps{ - Description: "securityProfile specifies the Security profile settings for a virtual machine.", - Ref: ref("github.com/openshift/api/machine/v1beta1.SecurityProfile"), + Description: "Deprecated: marker is silently ignored. It has no replacement.", + Type: []string{"string"}, + Format: "", }, }, - "ultraSSDCapability": { + "sortKey": { SchemaProps: spec.SchemaProps{ - Description: "ultraSSDCapability enables or disables Azure UltraSSD capability for a virtual machine. This can be used to allow/disallow binding of Azure UltraSSD to the Machine both as Data Disks or via Persistent Volumes. This Azure feature is subject to a specific scope and certain limitations. More informations on this can be found in the official Azure documentation for Ultra Disks: (https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-ultra-ssd?tabs=azure-portal#ga-scope-and-limitations).\n\nWhen omitted, if at least one Data Disk of type UltraSSD is specified, the platform will automatically enable the capability. If a Perisistent Volume backed by an UltraSSD is bound to a Pod on the Machine, when this field is ommitted, the platform will *not* automatically enable the capability (unless already enabled by the presence of an UltraSSD as Data Disk). This may manifest in the Pod being stuck in `ContainerCreating` phase. This defaulting behaviour may be subject to change in future.\n\nWhen set to \"Enabled\", if the capability is available for the Machine based on the scope and limitations described above, the capability will be set on the Machine. This will thus allow UltraSSD both as Data Disks and Persistent Volumes. If set to \"Enabled\" when the capability can't be available due to scope and limitations, the Machine will go into \"Failed\" state.\n\nWhen set to \"Disabled\", UltraSSDs will not be allowed either as Data Disks nor as Persistent Volumes. In this case if any UltraSSDs are specified as Data Disks on a Machine, the Machine will go into a \"Failed\" state. If instead any UltraSSDs are backing the volumes (via Persistent Volumes) of any Pods scheduled on a Node which is backed by the Machine, the Pod may get stuck in `ContainerCreating` phase.", + Description: "Deprecated: sortKey is silently ignored. It has no replacement.", Type: []string{"string"}, Format: "", }, }, - "acceleratedNetworking": { + "sortDir": { SchemaProps: spec.SchemaProps{ - Description: "acceleratedNetworking enables or disables Azure accelerated networking feature. Set to false by default. If true, then this will depend on whether the requested VMSize is supported. If set to true with an unsupported VMSize, Azure will return an error.", - Type: []string{"boolean"}, + Description: "Deprecated: sortDir is silently ignored. It has no replacement.", + Type: []string{"string"}, Format: "", }, }, - "availabilitySet": { + }, + }, + }, + } +} + +func schema_openshift_api_machine_v1alpha1_SubnetParam(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "uuid": { SchemaProps: spec.SchemaProps{ - Description: "availabilitySet specifies the availability set to use for this instance. Availability set should be precreated, before using this field.", + Description: "The UUID of the network. Required if you omit the port attribute.", Type: []string{"string"}, Format: "", }, }, - "diagnostics": { + "filter": { + SchemaProps: spec.SchemaProps{ + Description: "Filters for optional network query", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1alpha1.SubnetFilter"), + }, + }, + "portTags": { SchemaProps: spec.SchemaProps{ - Description: "diagnostics configures the diagnostics settings for the virtual machine. This allows you to configure boot diagnostics such as capturing serial output from the virtual machine on boot. This is useful for debugging software based launch issues.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.AzureDiagnostics"), + Description: "portTags are tags that are added to ports created on this subnet", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "capacityReservationGroupID": { + "portSecurity": { SchemaProps: spec.SchemaProps{ - Description: "capacityReservationGroupID specifies the capacity reservation group resource id that should be used for allocating the virtual machine. The field size should be greater than 0 and the field input must start with '/'. The input for capacityReservationGroupID must be similar to '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/capacityReservationGroups/{capacityReservationGroupName}'. The keys which are used should be among 'subscriptions', 'providers' and 'resourcegroups' followed by valid ID or names respectively.", - Type: []string{"string"}, + Description: "portSecurity optionally enables or disables security on ports managed by OpenStack Deprecated: portSecurity is silently ignored. Set portSecurity on the parent network instead.", + Type: []string{"boolean"}, Format: "", }, }, }, - Required: []string{"image", "osDisk", "publicIP", "subnet"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.AzureDiagnostics", "github.com/openshift/api/machine/v1beta1.DataDisk", "github.com/openshift/api/machine/v1beta1.Image", "github.com/openshift/api/machine/v1beta1.OSDisk", "github.com/openshift/api/machine/v1beta1.SecurityProfile", "github.com/openshift/api/machine/v1beta1.SpotVMOptions", "k8s.io/api/core/v1.SecretReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/machine/v1alpha1.SubnetFilter"}, } } -func schema_openshift_api_machine_v1beta1_AzureMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_AWSMachineProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AzureMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains Azure-specific status information. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "AWSMachineProviderConfig is the Schema for the awsmachineproviderconfigs API Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -37335,585 +38328,474 @@ func schema_openshift_api_machine_v1beta1_AzureMachineProviderStatus(ref common. Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, - "vmId": { + "ami": { SchemaProps: spec.SchemaProps{ - Description: "vmId is the ID of the virtual machine created in Azure.", - Type: []string{"string"}, - Format: "", + Description: "ami is the reference to the AMI from which to create the machine instance.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.AWSResourceReference"), }, }, - "vmState": { + "instanceType": { SchemaProps: spec.SchemaProps{ - Description: "vmState is the provisioning state of the Azure virtual machine.", + Description: "instanceType is the type of instance to create. Example: m4.xlarge", + Default: "", Type: []string{"string"}, Format: "", }, }, - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - }, - }, + "tags": { SchemaProps: spec.SchemaProps{ - Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status.", + Description: "tags is the set of tags to add to apply to an instance, in addition to the ones added by default by the actuator. These tags are additive. The actuator will ensure these tags are present, but will not remove any other tags that may exist on the instance.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + Ref: ref("github.com/openshift/api/machine/v1beta1.TagSpecification"), }, }, }, }, }, - }, - }, - }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, - } -} - -func schema_openshift_api_machine_v1beta1_BlockDeviceMappingSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "BlockDeviceMappingSpec describes a block device mapping", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "deviceName": { + "iamInstanceProfile": { SchemaProps: spec.SchemaProps{ - Description: "The device name exposed to the machine (for example, /dev/sdh or xvdh).", - Type: []string{"string"}, - Format: "", + Description: "iamInstanceProfile is a reference to an IAM role to assign to the instance", + Ref: ref("github.com/openshift/api/machine/v1beta1.AWSResourceReference"), }, }, - "ebs": { + "userDataSecret": { SchemaProps: spec.SchemaProps{ - Description: "Parameters used to automatically set up EBS volumes when the machine is launched.", - Ref: ref("github.com/openshift/api/machine/v1beta1.EBSBlockDeviceSpec"), + Description: "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", + Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), }, }, - "noDevice": { + "credentialsSecret": { SchemaProps: spec.SchemaProps{ - Description: "Suppresses the specified device included in the block device mapping of the AMI.", - Type: []string{"string"}, - Format: "", + Description: "credentialsSecret is a reference to the secret with AWS credentials. Otherwise, defaults to permissions provided by attached IAM role where the actuator is running.", + Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), }, }, - "virtualName": { + "keyName": { SchemaProps: spec.SchemaProps{ - Description: "The virtual device name (ephemeralN). Machine store volumes are numbered starting from 0. An machine type with 2 available machine store volumes can specify mappings for ephemeral0 and ephemeral1.The number of available machine store volumes depends on the machine type. After you connect to the machine, you must mount the volume.\n\nConstraints: For M3 machines, you must specify machine store volumes in the block device mapping for the machine. When you launch an M3 machine, we ignore any machine store volumes specified in the block device mapping for the AMI.", + Description: "keyName is the name of the KeyPair to use for SSH", Type: []string{"string"}, Format: "", }, }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.EBSBlockDeviceSpec"}, - } -} - -func schema_openshift_api_machine_v1beta1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "Condition defines an observation of a Machine API resource operational state.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "type": { + "deviceIndex": { SchemaProps: spec.SchemaProps{ - Description: "type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "deviceIndex is the index of the device on the instance for the network interface attachment. Defaults to 0.", + Default: 0, + Type: []string{"integer"}, + Format: "int64", }, }, - "status": { + "publicIp": { SchemaProps: spec.SchemaProps{ - Description: "status of the condition, one of True, False, Unknown.", - Default: "", - Type: []string{"string"}, + Description: "publicIp specifies whether the instance should get a public IP. If not present, it should use the default of its subnet.", + Type: []string{"boolean"}, Format: "", }, }, - "severity": { + "networkInterfaceType": { SchemaProps: spec.SchemaProps{ - Description: "severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False.", + Description: "networkInterfaceType specifies the type of network interface to be used for the primary network interface. Valid values are \"ENA\", \"EFA\", and omitted, which means no opinion and the platform chooses a good default which may change over time. The current default value is \"ENA\". Please visit https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/efa.html to learn more about the AWS Elastic Fabric Adapter interface option.", Type: []string{"string"}, Format: "", }, }, - "lastTransitionTime": { + "securityGroups": { SchemaProps: spec.SchemaProps{ - Description: "Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + Description: "securityGroups is an array of references to security groups that should be applied to the instance.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.AWSResourceReference"), + }, + }, + }, }, }, - "reason": { + "subnet": { SchemaProps: spec.SchemaProps{ - Description: "The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty.", - Type: []string{"string"}, - Format: "", + Description: "subnet is a reference to the subnet to use for this instance", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.AWSResourceReference"), }, }, - "message": { + "placement": { SchemaProps: spec.SchemaProps{ - Description: "A human readable message indicating details about the transition. This field may be empty.", - Type: []string{"string"}, - Format: "", + Description: "placement specifies where to create the instance in AWS", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.Placement"), }, }, - }, - Required: []string{"type", "status", "lastTransitionTime"}, - }, - }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, - } -} - -func schema_openshift_api_machine_v1beta1_ConfidentialVM(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ConfidentialVM defines the UEFI settings for the virtual machine.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "uefiSettings": { + "loadBalancers": { SchemaProps: spec.SchemaProps{ - Description: "uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.UEFISettings"), + Description: "loadBalancers is the set of load balancers to which the new instance should be added once it is created.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.LoadBalancerReference"), + }, + }, + }, }, }, - }, - Required: []string{"uefiSettings"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.UEFISettings"}, - } -} - -func schema_openshift_api_machine_v1beta1_DataDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "DataDisk specifies the parameters that are used to add one or more data disks to the machine. A Data Disk is a managed disk that's attached to a virtual machine to store application data. It differs from an OS Disk as it doesn't come with a pre-installed OS, and it cannot contain the boot volume. It is registered as SCSI drive and labeled with the chosen `lun`. e.g. for `lun: 0` the raw disk device will be available at `/dev/disk/azure/scsi1/lun0`.\n\nAs the Data Disk disk device is attached raw to the virtual machine, it will need to be partitioned, formatted with a filesystem and mounted, in order for it to be usable. This can be done by creating a custom userdata Secret with custom Ignition configuration to achieve the desired initialization. At this stage the previously defined `lun` is to be used as the \"device\" key for referencing the raw disk device to be initialized. Once the custom userdata Secret has been created, it can be referenced in the Machine's `.providerSpec.userDataSecret`. For further guidance and examples, please refer to the official OpenShift docs.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "nameSuffix": { + "blockDevices": { SchemaProps: spec.SchemaProps{ - Description: "nameSuffix is the suffix to be appended to the machine name to generate the disk name. Each disk name will be in format _. NameSuffix name must start and finish with an alphanumeric character and can only contain letters, numbers, underscores, periods or hyphens. The overall disk name must not exceed 80 chars in length.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "blockDevices is the set of block device mapping associated to this instance, block device without a name will be used as a root device and only one device without a name is allowed https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.BlockDeviceMappingSpec"), + }, + }, + }, }, }, - "diskSizeGB": { + "spotMarketOptions": { SchemaProps: spec.SchemaProps{ - Description: "diskSizeGB is the size in GB to assign to the data disk.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "spotMarketOptions allows users to configure instances to be run using AWS Spot instances.", + Ref: ref("github.com/openshift/api/machine/v1beta1.SpotMarketOptions"), }, }, - "managedDisk": { + "metadataServiceOptions": { SchemaProps: spec.SchemaProps{ - Description: "managedDisk specifies the Managed Disk parameters for the data disk. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is a ManagedDisk with with storageAccountType: \"Premium_LRS\" and diskEncryptionSet.id: \"Default\".", + Description: "metadataServiceOptions allows users to configure instance metadata service interaction options. If nothing specified, default AWS IMDS settings will be applied. https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.DataDiskManagedDiskParameters"), + Ref: ref("github.com/openshift/api/machine/v1beta1.MetadataServiceOptions"), }, }, - "lun": { + "placementGroupName": { SchemaProps: spec.SchemaProps{ - Description: "lun Specifies the logical unit number of the data disk. This value is used to identify data disks within the VM and therefore must be unique for each data disk attached to a VM. This value is also needed for referencing the data disks devices within userdata to perform disk initialization through Ignition (e.g. partition/format/mount). The value must be between 0 and 63.", + Description: "placementGroupName specifies the name of the placement group in which to launch the instance. The placement group must already be created and may use any placement strategy. When omitted, no placement group is used when creating the EC2 instance.", + Type: []string{"string"}, + Format: "", + }, + }, + "placementGroupPartition": { + SchemaProps: spec.SchemaProps{ + Description: "placementGroupPartition is the partition number within the placement group in which to launch the instance. This must be an integer value between 1 and 7. It is only valid if the placement group, referred in `PlacementGroupName` was created with strategy set to partition.", Type: []string{"integer"}, Format: "int32", }, }, - "cachingType": { + "capacityReservationId": { SchemaProps: spec.SchemaProps{ - Description: "cachingType specifies the caching requirements. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is CachingTypeNone.", + Description: "capacityReservationId specifies the target Capacity Reservation into which the instance should be launched. The field size should be greater than 0 and the field input must start with cr-***", + Default: "", Type: []string{"string"}, Format: "", }, }, - "deletionPolicy": { + "marketType": { SchemaProps: spec.SchemaProps{ - Description: "deletionPolicy specifies the data disk deletion policy upon Machine deletion. Possible values are \"Delete\",\"Detach\". When \"Delete\" is used the data disk is deleted when the Machine is deleted. When \"Detach\" is used the data disk is detached from the Machine and retained when the Machine is deleted.", - Default: "", + Description: "marketType specifies the type of market for the EC2 instance. Valid values are OnDemand, Spot, CapacityBlock and omitted.\n\nDefaults to OnDemand. When SpotMarketOptions is provided, the marketType defaults to \"Spot\".\n\nWhen set to OnDemand the instance runs as a standard OnDemand instance. When set to Spot the instance runs as a Spot instance. When set to CapacityBlock the instance utilizes pre-purchased compute capacity (capacity blocks) with AWS Capacity Reservations. If this value is selected, capacityReservationID must be specified to identify the target reservation.", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"nameSuffix", "diskSizeGB", "lun", "deletionPolicy"}, + Required: []string{"ami", "instanceType", "deviceIndex", "subnet", "placement"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.DataDiskManagedDiskParameters"}, + "github.com/openshift/api/machine/v1beta1.AWSResourceReference", "github.com/openshift/api/machine/v1beta1.BlockDeviceMappingSpec", "github.com/openshift/api/machine/v1beta1.LoadBalancerReference", "github.com/openshift/api/machine/v1beta1.MetadataServiceOptions", "github.com/openshift/api/machine/v1beta1.Placement", "github.com/openshift/api/machine/v1beta1.SpotMarketOptions", "github.com/openshift/api/machine/v1beta1.TagSpecification", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1beta1_DataDiskManagedDiskParameters(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_AWSMachineProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "DataDiskManagedDiskParameters is the parameters of a DataDisk managed disk.", + Description: "AWSMachineProviderConfigList contains a list of AWSMachineProviderConfig Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "storageAccountType": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "storageAccountType is the storage account type to use. Possible values include \"Standard_LRS\", \"Premium_LRS\" and \"UltraSSD_LRS\".", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "diskEncryptionSet": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "diskEncryptionSet is the disk encryption set properties. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is a DiskEncryptionSet with id: \"Default\".", - Ref: ref("github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"), + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, - }, - Required: []string{"storageAccountType"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"}, - } -} - -func schema_openshift_api_machine_v1beta1_DiskEncryptionSetParameters(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "DiskEncryptionSetParameters is the disk encryption set properties", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "id": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "id is the disk encryption set ID Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is: \"Default\".", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), }, }, - }, - }, - }, - } -} - -func schema_openshift_api_machine_v1beta1_DiskSettings(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "DiskSettings describe ephemeral disk settings for the os disk.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "ephemeralStorageLocation": { + "items": { SchemaProps: spec.SchemaProps{ - Description: "ephemeralStorageLocation enables ephemeral OS when set to 'Local'. Possible values include: 'Local'. See https://docs.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks for full details. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is that disks are saved to remote Azure storage.", - Type: []string{"string"}, - Format: "", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.AWSMachineProviderConfig"), + }, + }, + }, }, }, }, + Required: []string{"items"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.AWSMachineProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_machine_v1beta1_EBSBlockDeviceSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_AWSMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EBSBlockDeviceSpec describes a block device for an EBS volume. https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EbsBlockDevice", + Description: "AWSMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains AWS-specific status information. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "deleteOnTermination": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "Indicates whether the EBS volume is deleted on machine termination.", - Type: []string{"boolean"}, + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, Format: "", }, }, - "encrypted": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes may only be attached to machines that support Amazon EBS encryption.", - Type: []string{"boolean"}, + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, Format: "", }, }, - "kmsKey": { + "instanceId": { SchemaProps: spec.SchemaProps{ - Description: "Indicates the KMS key that should be used to encrypt the Amazon EBS volume.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.AWSResourceReference"), + Description: "instanceId is the instance ID of the machine created in AWS", + Type: []string{"string"}, + Format: "", }, }, - "iops": { + "instanceState": { SchemaProps: spec.SchemaProps{ - Description: "The number of I/O operations per second (IOPS) that the volume supports. For io1, this represents the number of IOPS that are provisioned for the volume. For gp2, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. For more information about General Purpose SSD baseline performance, I/O credits, and bursting, see Amazon EBS Volume Types (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the Amazon Elastic Compute Cloud User Guide.\n\nMinimal and maximal IOPS for io1 and gp2 are constrained. Please, check https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html for precise boundaries for individual volumes.\n\nCondition: This parameter is required for requests to create io1 volumes; it is not used in requests to create gp2, st1, sc1, or standard volumes.", - Type: []string{"integer"}, - Format: "int64", + Description: "instanceState is the state of the AWS instance for this machine", + Type: []string{"string"}, + Format: "", }, }, - "volumeSize": { - SchemaProps: spec.SchemaProps{ - Description: "The size of the volume, in GiB.\n\nConstraints: 1-16384 for General Purpose SSD (gp2), 4-16384 for Provisioned IOPS SSD (io1), 500-16384 for Throughput Optimized HDD (st1), 500-16384 for Cold HDD (sc1), and 1-1024 for Magnetic (standard) volumes. If you specify a snapshot, the volume size must be equal to or larger than the snapshot size.\n\nDefault: If you're creating the volume from a snapshot and don't specify a volume size, the default is the snapshot size.", - Type: []string{"integer"}, - Format: "int64", + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, }, - }, - "volumeType": { SchemaProps: spec.SchemaProps{ - Description: "The volume type: gp2, io1, st1, sc1, or standard. Default: standard", - Type: []string{"string"}, - Format: "", + Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, }, }, }, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.AWSResourceReference"}, + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } -func schema_openshift_api_machine_v1beta1_Filter(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_AWSResourceReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Filter is a filter used to identify an AWS resource", + Description: "AWSResourceReference is a reference to a specific AWS resource by ID, ARN, or filters. Only one of ID, ARN or Filters may be specified. Specifying more than one will result in a validation error.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "id": { SchemaProps: spec.SchemaProps{ - Description: "name of the filter. Filter names are case-sensitive.", - Default: "", + Description: "id of resource", Type: []string{"string"}, Format: "", }, }, - "values": { + "arn": { SchemaProps: spec.SchemaProps{ - Description: "values includes one or more filter values. Filter values are case-sensitive.", + Description: "arn of resource", + Type: []string{"string"}, + Format: "", + }, + }, + "filters": { + SchemaProps: spec.SchemaProps{ + Description: "filters is a set of filters used to identify a resource", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.Filter"), }, }, }, }, }, }, - Required: []string{"name"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.Filter"}, } } -func schema_openshift_api_machine_v1beta1_GCPDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_AddressesFromPool(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GCPDisk describes disks for GCP.", + Description: "AddressesFromPool is an IPAddressPool that will be used to create IPAddressClaims for fulfillment by an external controller.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "autoDelete": { - SchemaProps: spec.SchemaProps{ - Description: "autoDelete indicates if the disk will be auto-deleted when the instance is deleted (default false).", - Default: false, - Type: []string{"boolean"}, - Format: "", - }, - }, - "boot": { + "group": { SchemaProps: spec.SchemaProps{ - Description: "boot indicates if this is a boot disk (default false).", - Default: false, - Type: []string{"boolean"}, + Description: "group of the IP address pool type known to an external IPAM controller. This should be a fully qualified domain name, for example, externalipam.controller.io.", + Default: "", + Type: []string{"string"}, Format: "", }, }, - "sizeGb": { - SchemaProps: spec.SchemaProps{ - Description: "sizeGb is the size of the disk (in GB).", - Default: 0, - Type: []string{"integer"}, - Format: "int64", - }, - }, - "type": { + "resource": { SchemaProps: spec.SchemaProps{ - Description: "type is the type of the disk (eg: pd-standard).", + Description: "resource of the IP address pool type known to an external IPAM controller. It is normally the plural form of the resource kind in lowercase, for example, ippools.", Default: "", Type: []string{"string"}, Format: "", }, }, - "image": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "image is the source image to create this disk.", + Description: "name of an IP address pool, for example, pool-config-1.", Default: "", Type: []string{"string"}, Format: "", }, }, - "labels": { - SchemaProps: spec.SchemaProps{ - Description: "labels list of labels to apply to the disk.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "encryptionKey": { - SchemaProps: spec.SchemaProps{ - Description: "encryptionKey is the customer-supplied encryption key of the disk.", - Ref: ref("github.com/openshift/api/machine/v1beta1.GCPEncryptionKeyReference"), - }, - }, }, - Required: []string{"autoDelete", "boot", "sizeGb", "type", "image", "labels"}, + Required: []string{"group", "resource", "name"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.GCPEncryptionKeyReference"}, } } -func schema_openshift_api_machine_v1beta1_GCPEncryptionKeyReference(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_AzureBootDiagnostics(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GCPEncryptionKeyReference describes the encryptionKey to use for a disk's encryption.", + Description: "AzureBootDiagnostics configures the boot diagnostics settings for the virtual machine. This allows you to configure capturing serial output from the virtual machine on boot. This is useful for debugging software based launch issues.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kmsKey": { + "storageAccountType": { SchemaProps: spec.SchemaProps{ - Description: "KMSKeyName is the reference KMS key, in the format", - Ref: ref("github.com/openshift/api/machine/v1beta1.GCPKMSKeyReference"), + Description: "storageAccountType determines if the storage account for storing the diagnostics data should be provisioned by Azure (AzureManaged) or by the customer (CustomerManaged).", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "kmsKeyServiceAccount": { + "customerManaged": { SchemaProps: spec.SchemaProps{ - Description: "kmsKeyServiceAccount is the service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used. See https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_service_account for details on the default service account.", - Type: []string{"string"}, - Format: "", + Description: "customerManaged provides reference to the customer manager storage account.", + Ref: ref("github.com/openshift/api/machine/v1beta1.AzureCustomerManagedBootDiagnostics"), + }, + }, + }, + Required: []string{"storageAccountType"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "storageAccountType", + "fields-to-discriminateBy": map[string]interface{}{ + "customerManaged": "CustomerManaged", + }, }, }, }, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.GCPKMSKeyReference"}, + "github.com/openshift/api/machine/v1beta1.AzureCustomerManagedBootDiagnostics"}, } } -func schema_openshift_api_machine_v1beta1_GCPGPUConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_AzureCustomerManagedBootDiagnostics(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GCPGPUConfig describes type and count of GPUs attached to the instance on GCP.", + Description: "AzureCustomerManagedBootDiagnostics provides reference to a customer managed storage account.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "count": { - SchemaProps: spec.SchemaProps{ - Description: "count is the number of GPUs to be attached to an instance.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", - }, - }, - "type": { + "storageAccountURI": { SchemaProps: spec.SchemaProps{ - Description: "type is the type of GPU to be attached to an instance. Supported GPU types are: nvidia-tesla-k80, nvidia-tesla-p100, nvidia-tesla-v100, nvidia-tesla-p4, nvidia-tesla-t4", + Description: "storageAccountURI is the URI of the customer managed storage account. The URI typically will be `https://.blob.core.windows.net/` but may differ if you are using Azure DNS zone endpoints. You can find the correct endpoint by looking for the Blob Primary Endpoint in the endpoints tab in the Azure console.", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"count", "type"}, + Required: []string{"storageAccountURI"}, }, }, } } -func schema_openshift_api_machine_v1beta1_GCPKMSKeyReference(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_AzureDiagnostics(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GCPKMSKeyReference gathers required fields for looking up a GCP KMS Key", + Description: "AzureDiagnostics is used to configure the diagnostic settings of the virtual machine.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { - SchemaProps: spec.SchemaProps{ - Description: "name is the name of the customer managed encryption key to be used for the disk encryption.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "keyRing": { - SchemaProps: spec.SchemaProps{ - Description: "keyRing is the name of the KMS Key Ring which the KMS Key belongs to.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "projectID": { - SchemaProps: spec.SchemaProps{ - Description: "projectID is the ID of the Project in which the KMS Key Ring exists. Defaults to the VM ProjectID if not set.", - Type: []string{"string"}, - Format: "", - }, - }, - "location": { + "boot": { SchemaProps: spec.SchemaProps{ - Description: "location is the GCP location in which the Key Ring exists.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "AzureBootDiagnostics configures the boot diagnostics settings for the virtual machine. This allows you to configure capturing serial output from the virtual machine on boot. This is useful for debugging software based launch issues.", + Ref: ref("github.com/openshift/api/machine/v1beta1.AzureBootDiagnostics"), }, }, }, - Required: []string{"name", "keyRing", "location"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.AzureBootDiagnostics"}, } } -func schema_openshift_api_machine_v1beta1_GCPMachineProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_AzureMachineProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GCPMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field for an GCP virtual machine. It is used by the GCP machine actuator to create a single Machine. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "AzureMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field for an Azure virtual machine. It is used by the Azure machine actuator to create a single Machine. Required parameters such as location that are not specified by this configuration, will be defaulted by the actuator. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -37932,113 +38814,85 @@ func schema_openshift_api_machine_v1beta1_GCPMachineProviderSpec(ref common.Refe }, "metadata": { SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, "userDataSecret": { SchemaProps: spec.SchemaProps{ Description: "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", - Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + Ref: ref("k8s.io/api/core/v1.SecretReference"), }, }, "credentialsSecret": { SchemaProps: spec.SchemaProps{ - Description: "credentialsSecret is a reference to the secret with GCP credentials.", - Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + Description: "credentialsSecret is a reference to the secret with Azure credentials.", + Ref: ref("k8s.io/api/core/v1.SecretReference"), }, }, - "canIPForward": { + "location": { SchemaProps: spec.SchemaProps{ - Description: "canIPForward Allows this instance to send and receive packets with non-matching destination or source IPs. This is required if you plan to use this instance to forward routes.", - Default: false, - Type: []string{"boolean"}, + Description: "location is the region to use to create the instance", + Type: []string{"string"}, Format: "", }, }, - "deletionProtection": { + "vmSize": { SchemaProps: spec.SchemaProps{ - Description: "deletionProtection whether the resource should be protected against deletion.", - Default: false, - Type: []string{"boolean"}, + Description: "vmSize is the size of the VM to create.", + Type: []string{"string"}, Format: "", }, }, - "disks": { + "image": { SchemaProps: spec.SchemaProps{ - Description: "disks is a list of disks to be attached to the VM.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Ref: ref("github.com/openshift/api/machine/v1beta1.GCPDisk"), - }, - }, - }, + Description: "image is the OS image to use to create the instance.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.Image"), }, }, - "labels": { + "osDisk": { SchemaProps: spec.SchemaProps{ - Description: "labels list of labels to apply to the VM.", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "osDisk represents the parameters for creating the OS disk.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.OSDisk"), }, }, - "gcpMetadata": { + "dataDisks": { SchemaProps: spec.SchemaProps{ - Description: "Metadata key/value pairs to apply to the VM.", + Description: "DataDisk specifies the parameters that are used to add one or more data disks to the machine.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Ref: ref("github.com/openshift/api/machine/v1beta1.GCPMetadata"), + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.DataDisk"), }, }, }, }, }, - "networkInterfaces": { + "sshPublicKey": { SchemaProps: spec.SchemaProps{ - Description: "networkInterfaces is a list of network interfaces to be attached to the VM.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Ref: ref("github.com/openshift/api/machine/v1beta1.GCPNetworkInterface"), - }, - }, - }, + Description: "sshPublicKey is the public key to use to SSH to the virtual machine.", + Type: []string{"string"}, + Format: "", }, }, - "serviceAccounts": { + "publicIP": { SchemaProps: spec.SchemaProps{ - Description: "serviceAccounts is a list of GCP service accounts to be used by the VM.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.GCPServiceAccount"), - }, - }, - }, + Description: "publicIP if true a public IP will be used", + Default: false, + Type: []string{"boolean"}, + Format: "", }, }, "tags": { SchemaProps: spec.SchemaProps{ - Description: "tags list of network tags to apply to the VM.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ + Description: "tags is a list of tags to apply to the machine.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: "", @@ -38049,9 +38903,16 @@ func schema_openshift_api_machine_v1beta1_GCPMachineProviderSpec(ref common.Refe }, }, }, - "targetPools": { + "securityGroup": { SchemaProps: spec.SchemaProps{ - Description: "targetPools are used for network TCP/UDP load balancing. A target pool references member instances, an associated legacy HttpHealthCheck resource, and, optionally, a backup target pool", + Description: "Network Security Group that needs to be attached to the machine's interface. No security group will be attached if empty.", + Type: []string{"string"}, + Format: "", + }, + }, + "applicationSecurityGroups": { + SchemaProps: spec.SchemaProps{ + Description: "Application Security Groups that need to be attached to the machine's interface. No application security groups will be attached if zero-length.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -38064,122 +38925,131 @@ func schema_openshift_api_machine_v1beta1_GCPMachineProviderSpec(ref common.Refe }, }, }, - "machineType": { + "subnet": { SchemaProps: spec.SchemaProps{ - Description: "machineType is the machine type to use for the VM.", + Description: "subnet to use for this instance", Default: "", Type: []string{"string"}, Format: "", }, }, - "region": { + "publicLoadBalancer": { SchemaProps: spec.SchemaProps{ - Description: "region is the region in which the GCP machine provider will create the VM.", - Default: "", + Description: "publicLoadBalancer to use for this instance", Type: []string{"string"}, Format: "", }, }, - "zone": { + "internalLoadBalancer": { SchemaProps: spec.SchemaProps{ - Description: "zone is the zone in which the GCP machine provider will create the VM.", - Default: "", + Description: "InternalLoadBalancerName to use for this instance", Type: []string{"string"}, Format: "", }, }, - "projectID": { + "natRule": { SchemaProps: spec.SchemaProps{ - Description: "projectID is the project in which the GCP machine provider will create the VM.", + Description: "natRule to set inbound NAT rule of the load balancer", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "managedIdentity": { + SchemaProps: spec.SchemaProps{ + Description: "managedIdentity to set managed identity name", Type: []string{"string"}, Format: "", }, }, - "gpus": { + "vnet": { SchemaProps: spec.SchemaProps{ - Description: "gpus is a list of GPUs to be attached to the VM.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.GCPGPUConfig"), - }, - }, - }, + Description: "vnet to set virtual network name", + Type: []string{"string"}, + Format: "", }, }, - "preemptible": { + "zone": { SchemaProps: spec.SchemaProps{ - Description: "preemptible indicates if created instance is preemptible.", - Type: []string{"boolean"}, + Description: "Availability Zone for the virtual machine. If nil, the virtual machine should be deployed to no zone", + Type: []string{"string"}, Format: "", }, }, - "onHostMaintenance": { + "networkResourceGroup": { SchemaProps: spec.SchemaProps{ - Description: "onHostMaintenance determines the behavior when a maintenance event occurs that might cause the instance to reboot. This is required to be set to \"Terminate\" if you want to provision machine with attached GPUs. Otherwise, allowed values are \"Migrate\" and \"Terminate\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is \"Migrate\".", + Description: "networkResourceGroup is the resource group for the virtual machine's network", Type: []string{"string"}, Format: "", }, }, - "restartPolicy": { + "resourceGroup": { SchemaProps: spec.SchemaProps{ - Description: "restartPolicy determines the behavior when an instance crashes or the underlying infrastructure provider stops the instance as part of a maintenance event (default \"Always\"). Cannot be \"Always\" with preemptible instances. Otherwise, allowed values are \"Always\" and \"Never\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is \"Always\". RestartPolicy represents AutomaticRestart in GCP compute api", + Description: "resourceGroup is the resource group for the virtual machine", Type: []string{"string"}, Format: "", }, }, - "shieldedInstanceConfig": { + "spotVMOptions": { SchemaProps: spec.SchemaProps{ - Description: "shieldedInstanceConfig is the Shielded VM configuration for the VM", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.GCPShieldedInstanceConfig"), + Description: "spotVMOptions allows the ability to specify the Machine should use a Spot VM", + Ref: ref("github.com/openshift/api/machine/v1beta1.SpotVMOptions"), }, }, - "confidentialCompute": { + "securityProfile": { SchemaProps: spec.SchemaProps{ - Description: "confidentialCompute is an optional field defining whether the instance should have confidential compute enabled or not, and the confidential computing technology of choice. Allowed values are omitted, Disabled, Enabled, AMDEncryptedVirtualization, AMDEncryptedVirtualizationNestedPaging, and IntelTrustedDomainExtensions When set to Disabled, the machine will not be configured to be a confidential computing instance. When set to Enabled, the machine will be configured as a confidential computing instance with no preference on the confidential compute policy used. In this mode, the platform chooses a default that is subject to change over time. Currently, the default is to use AMD Secure Encrypted Virtualization. When set to AMDEncryptedVirtualization, the machine will be configured as a confidential computing instance with AMD Secure Encrypted Virtualization (AMD SEV) as the confidential computing technology. When set to AMDEncryptedVirtualizationNestedPaging, the machine will be configured as a confidential computing instance with AMD Secure Encrypted Virtualization Secure Nested Paging (AMD SEV-SNP) as the confidential computing technology. When set to IntelTrustedDomainExtensions, the machine will be configured as a confidential computing instance with Intel Trusted Domain Extensions (Intel TDX) as the confidential computing technology. If any value other than Disabled is set the selected machine type must support that specific confidential computing technology. The machine series supporting confidential computing technologies can be checked at https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#all-confidential-vm-instances Currently, AMDEncryptedVirtualization is supported in c2d, n2d, and c3d machines. AMDEncryptedVirtualizationNestedPaging is supported in n2d machines. IntelTrustedDomainExtensions is supported in c3 machines. If any value other than Disabled is set, the selected region must support that specific confidential computing technology. The list of regions supporting confidential computing technologies can be checked at https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#supported-zones If any value other than Disabled is set onHostMaintenance is required to be set to \"Terminate\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled.", + Description: "securityProfile specifies the Security profile settings for a virtual machine.", + Ref: ref("github.com/openshift/api/machine/v1beta1.SecurityProfile"), + }, + }, + "ultraSSDCapability": { + SchemaProps: spec.SchemaProps{ + Description: "ultraSSDCapability enables or disables Azure UltraSSD capability for a virtual machine. This can be used to allow/disallow binding of Azure UltraSSD to the Machine both as Data Disks or via Persistent Volumes. This Azure feature is subject to a specific scope and certain limitations. More informations on this can be found in the official Azure documentation for Ultra Disks: (https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-ultra-ssd?tabs=azure-portal#ga-scope-and-limitations).\n\nWhen omitted, if at least one Data Disk of type UltraSSD is specified, the platform will automatically enable the capability. If a Perisistent Volume backed by an UltraSSD is bound to a Pod on the Machine, when this field is ommitted, the platform will *not* automatically enable the capability (unless already enabled by the presence of an UltraSSD as Data Disk). This may manifest in the Pod being stuck in `ContainerCreating` phase. This defaulting behaviour may be subject to change in future.\n\nWhen set to \"Enabled\", if the capability is available for the Machine based on the scope and limitations described above, the capability will be set on the Machine. This will thus allow UltraSSD both as Data Disks and Persistent Volumes. If set to \"Enabled\" when the capability can't be available due to scope and limitations, the Machine will go into \"Failed\" state.\n\nWhen set to \"Disabled\", UltraSSDs will not be allowed either as Data Disks nor as Persistent Volumes. In this case if any UltraSSDs are specified as Data Disks on a Machine, the Machine will go into a \"Failed\" state. If instead any UltraSSDs are backing the volumes (via Persistent Volumes) of any Pods scheduled on a Node which is backed by the Machine, the Pod may get stuck in `ContainerCreating` phase.", Type: []string{"string"}, Format: "", }, }, - "resourceManagerTags": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "key", - }, - "x-kubernetes-list-type": "map", - }, + "acceleratedNetworking": { + SchemaProps: spec.SchemaProps{ + Description: "acceleratedNetworking enables or disables Azure accelerated networking feature. Set to false by default. If true, then this will depend on whether the requested VMSize is supported. If set to true with an unsupported VMSize, Azure will return an error.", + Type: []string{"boolean"}, + Format: "", }, + }, + "availabilitySet": { SchemaProps: spec.SchemaProps{ - Description: "resourceManagerTags is an optional list of tags to apply to the GCP resources created for the cluster. See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on tagging GCP resources. GCP supports a maximum of 50 tags per resource.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.ResourceManagerTag"), - }, - }, - }, + Description: "availabilitySet specifies the availability set to use for this instance. Availability set should be precreated, before using this field.", + Type: []string{"string"}, + Format: "", + }, + }, + "diagnostics": { + SchemaProps: spec.SchemaProps{ + Description: "diagnostics configures the diagnostics settings for the virtual machine. This allows you to configure boot diagnostics such as capturing serial output from the virtual machine on boot. This is useful for debugging software based launch issues.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.AzureDiagnostics"), + }, + }, + "capacityReservationGroupID": { + SchemaProps: spec.SchemaProps{ + Description: "capacityReservationGroupID specifies the capacity reservation group resource id that should be used for allocating the virtual machine. The field size should be greater than 0 and the field input must start with '/'. The input for capacityReservationGroupID must be similar to '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/capacityReservationGroups/{capacityReservationGroupName}'. The keys which are used should be among 'subscriptions', 'providers' and 'resourcegroups' followed by valid ID or names respectively.", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"canIPForward", "deletionProtection", "serviceAccounts", "machineType", "region", "zone"}, + Required: []string{"image", "osDisk", "publicIP", "subnet"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.GCPDisk", "github.com/openshift/api/machine/v1beta1.GCPGPUConfig", "github.com/openshift/api/machine/v1beta1.GCPMetadata", "github.com/openshift/api/machine/v1beta1.GCPNetworkInterface", "github.com/openshift/api/machine/v1beta1.GCPServiceAccount", "github.com/openshift/api/machine/v1beta1.GCPShieldedInstanceConfig", "github.com/openshift/api/machine/v1beta1.ResourceManagerTag", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/machine/v1beta1.AzureDiagnostics", "github.com/openshift/api/machine/v1beta1.DataDisk", "github.com/openshift/api/machine/v1beta1.Image", "github.com/openshift/api/machine/v1beta1.OSDisk", "github.com/openshift/api/machine/v1beta1.SecurityProfile", "github.com/openshift/api/machine/v1beta1.SpotVMOptions", "k8s.io/api/core/v1.SecretReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1beta1_GCPMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_AzureMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "GCPMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains GCP-specific status information. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "AzureMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains Azure-specific status information. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -38202,16 +39072,16 @@ func schema_openshift_api_machine_v1beta1_GCPMachineProviderStatus(ref common.Re Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, - "instanceId": { + "vmId": { SchemaProps: spec.SchemaProps{ - Description: "instanceId is the ID of the instance in GCP", + Description: "vmId is the ID of the virtual machine created in Azure.", Type: []string{"string"}, Format: "", }, }, - "instanceState": { + "vmState": { SchemaProps: spec.SchemaProps{ - Description: "instanceState is the provisioning state of the GCP Instance.", + Description: "vmState is the provisioning state of the Azure virtual machine.", Type: []string{"string"}, Format: "", }, @@ -38226,7 +39096,7 @@ func schema_openshift_api_machine_v1beta1_GCPMachineProviderStatus(ref common.Re }, }, SchemaProps: spec.SchemaProps{ - Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", + Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -38235,249 +39105,47 @@ func schema_openshift_api_machine_v1beta1_GCPMachineProviderStatus(ref common.Re Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), }, }, - }, - }, - }, - }, - }, - }, - Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, - } -} - -func schema_openshift_api_machine_v1beta1_GCPMetadata(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "GCPMetadata describes metadata for GCP.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "key": { - SchemaProps: spec.SchemaProps{ - Description: "key is the metadata key.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "value": { - SchemaProps: spec.SchemaProps{ - Description: "value is the metadata value.", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"key", "value"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1beta1_GCPNetworkInterface(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "GCPNetworkInterface describes network interfaces for GCP", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "publicIP": { - SchemaProps: spec.SchemaProps{ - Description: "publicIP indicates if true a public IP will be used", - Type: []string{"boolean"}, - Format: "", - }, - }, - "network": { - SchemaProps: spec.SchemaProps{ - Description: "network is the network name.", - Type: []string{"string"}, - Format: "", - }, - }, - "projectID": { - SchemaProps: spec.SchemaProps{ - Description: "projectID is the project in which the GCP machine provider will create the VM.", - Type: []string{"string"}, - Format: "", - }, - }, - "subnetwork": { - SchemaProps: spec.SchemaProps{ - Description: "subnetwork is the subnetwork name.", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - } -} - -func schema_openshift_api_machine_v1beta1_GCPServiceAccount(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "GCPServiceAccount describes service accounts for GCP.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "email": { - SchemaProps: spec.SchemaProps{ - Description: "email is the service account email.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "scopes": { - SchemaProps: spec.SchemaProps{ - Description: "scopes list of scopes to be assigned to the service account.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, - Required: []string{"email", "scopes"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1beta1_GCPShieldedInstanceConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "GCPShieldedInstanceConfig describes the shielded VM configuration of the instance on GCP. Shielded VM configuration allow users to enable and disable Secure Boot, vTPM, and Integrity Monitoring.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "secureBoot": { - SchemaProps: spec.SchemaProps{ - Description: "secureBoot Defines whether the instance should have secure boot enabled. Secure Boot verify the digital signature of all boot components, and halting the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled.", - Type: []string{"string"}, - Format: "", - }, - }, - "virtualizedTrustedPlatformModule": { - SchemaProps: spec.SchemaProps{ - Description: "virtualizedTrustedPlatformModule enable virtualized trusted platform module measurements to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. This is required to be set to \"Enabled\" if IntegrityMonitoring is enabled. If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled.", - Type: []string{"string"}, - Format: "", - }, - }, - "integrityMonitoring": { - SchemaProps: spec.SchemaProps{ - Description: "integrityMonitoring determines whether the instance should have integrity monitoring that verify the runtime boot integrity. Compares the most recent boot measurements to the integrity policy baseline and return a pair of pass/fail results depending on whether they match or not. If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled.", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - } -} - -func schema_openshift_api_machine_v1beta1_Image(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "Image is a mirror of azure sdk compute.ImageReference", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "publisher": { - SchemaProps: spec.SchemaProps{ - Description: "publisher is the name of the organization that created the image", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "offer": { - SchemaProps: spec.SchemaProps{ - Description: "offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "sku": { - SchemaProps: spec.SchemaProps{ - Description: "sku specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "version": { - SchemaProps: spec.SchemaProps{ - Description: "version specifies the version of an image sku. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "resourceID": { - SchemaProps: spec.SchemaProps{ - Description: "resourceID specifies an image to use by ID", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "type": { - SchemaProps: spec.SchemaProps{ - Description: "type identifies the source of the image and related information, such as purchase plans. Valid values are \"ID\", \"MarketplaceWithPlan\", \"MarketplaceNoPlan\", and omitted, which means no opinion and the platform chooses a good default which may change over time. Currently that default is \"MarketplaceNoPlan\" if publisher data is supplied, or \"ID\" if not. For more information about purchase plans, see: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/cli-ps-findimage#check-the-purchase-plan-information", - Type: []string{"string"}, - Format: "", + }, }, }, }, - Required: []string{"publisher", "offer", "sku", "version", "resourceID"}, }, }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1beta1_LastOperation(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_BlockDeviceMappingSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "LastOperation represents the detail of the last performed operation on the MachineObject.", + Description: "BlockDeviceMappingSpec describes a block device mapping", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "description": { + "deviceName": { SchemaProps: spec.SchemaProps{ - Description: "description is the human-readable description of the last operation.", + Description: "The device name exposed to the machine (for example, /dev/sdh or xvdh).", Type: []string{"string"}, Format: "", }, }, - "lastUpdated": { + "ebs": { SchemaProps: spec.SchemaProps{ - Description: "lastUpdated is the timestamp at which LastOperation API was last-updated.", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + Description: "Parameters used to automatically set up EBS volumes when the machine is launched.", + Ref: ref("github.com/openshift/api/machine/v1beta1.EBSBlockDeviceSpec"), }, }, - "state": { + "noDevice": { SchemaProps: spec.SchemaProps{ - Description: "state is the current status of the last performed operation. E.g. Processing, Failed, Successful etc", + Description: "Suppresses the specified device included in the block device mapping of the AMI.", Type: []string{"string"}, Format: "", }, }, - "type": { + "virtualName": { SchemaProps: spec.SchemaProps{ - Description: "type is the type of operation which was last performed. E.g. Create, Delete, Update etc", + Description: "The virtual device name (ephemeralN). Machine store volumes are numbered starting from 0. An machine type with 2 available machine store volumes can specify mappings for ephemeral0 and ephemeral1.The number of available machine store volumes depends on the machine type. After you connect to the machine, you must mount the volume.\n\nConstraints: For M3 machines, you must specify machine store volumes in the block device mapping for the machine. When you launch an M3 machine, we ignore any machine store volumes specified in the block device mapping for the AMI.", Type: []string{"string"}, Format: "", }, @@ -38486,835 +39154,802 @@ func schema_openshift_api_machine_v1beta1_LastOperation(ref common.ReferenceCall }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, + "github.com/openshift/api/machine/v1beta1.EBSBlockDeviceSpec"}, } } -func schema_openshift_api_machine_v1beta1_LifecycleHook(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "LifecycleHook represents a single instance of a lifecycle hook", + Description: "Condition defines an observation of a Machine API resource operational state.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "type": { SchemaProps: spec.SchemaProps{ - Description: "name defines a unique name for the lifcycle hook. The name should be unique and descriptive, ideally 1-3 words, in CamelCase or it may be namespaced, eg. foo.example.com/CamelCase. Names must be unique and should only be managed by a single entity.", + Description: "type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important.", Default: "", Type: []string{"string"}, Format: "", }, }, - "owner": { + "status": { SchemaProps: spec.SchemaProps{ - Description: "owner defines the owner of the lifecycle hook. This should be descriptive enough so that users can identify who/what is responsible for blocking the lifecycle. This could be the name of a controller (e.g. clusteroperator/etcd) or an administrator managing the hook.", + Description: "status of the condition, one of True, False, Unknown.", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"name", "owner"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1beta1_LifecycleHooks(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "LifecycleHooks allow users to pause operations on the machine at certain prefedined points within the machine lifecycle.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "preDrain": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - }, - "x-kubernetes-list-type": "map", - }, + "severity": { + SchemaProps: spec.SchemaProps{ + Description: "severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False.", + Type: []string{"string"}, + Format: "", }, + }, + "lastTransitionTime": { SchemaProps: spec.SchemaProps{ - Description: "preDrain hooks prevent the machine from being drained. This also blocks further lifecycle events, such as termination.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.LifecycleHook"), - }, - }, - }, + Description: "Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), }, }, - "preTerminate": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - }, - "x-kubernetes-list-type": "map", - }, + "reason": { + SchemaProps: spec.SchemaProps{ + Description: "The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty.", + Type: []string{"string"}, + Format: "", }, + }, + "message": { SchemaProps: spec.SchemaProps{ - Description: "preTerminate hooks prevent the machine from being terminated. PreTerminate hooks be actioned after the Machine has been drained.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.LifecycleHook"), - }, - }, - }, + Description: "A human readable message indicating details about the transition. This field may be empty.", + Type: []string{"string"}, + Format: "", }, }, }, + Required: []string{"type", "status", "lastTransitionTime"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.LifecycleHook"}, + "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, } } -func schema_openshift_api_machine_v1beta1_LoadBalancerReference(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_ConfidentialVM(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "LoadBalancerReference is a reference to a load balancer on AWS.", + Description: "ConfidentialVM defines the UEFI settings for the virtual machine.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "type": { + "uefiSettings": { SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Description: "uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.UEFISettings"), }, }, }, - Required: []string{"name", "type"}, + Required: []string{"uefiSettings"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.UEFISettings"}, } } -func schema_openshift_api_machine_v1beta1_Machine(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_DataDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Machine is the Schema for the machines API Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "DataDisk specifies the parameters that are used to add one or more data disks to the machine. A Data Disk is a managed disk that's attached to a virtual machine to store application data. It differs from an OS Disk as it doesn't come with a pre-installed OS, and it cannot contain the boot volume. It is registered as SCSI drive and labeled with the chosen `lun`. e.g. for `lun: 0` the raw disk device will be available at `/dev/disk/azure/scsi1/lun0`.\n\nAs the Data Disk disk device is attached raw to the virtual machine, it will need to be partitioned, formatted with a filesystem and mounted, in order for it to be usable. This can be done by creating a custom userdata Secret with custom Ignition configuration to achieve the desired initialization. At this stage the previously defined `lun` is to be used as the \"device\" key for referencing the raw disk device to be initialized. Once the custom userdata Secret has been created, it can be referenced in the Machine's `.providerSpec.userDataSecret`. For further guidance and examples, please refer to the official OpenShift docs.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "nameSuffix": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "nameSuffix is the suffix to be appended to the machine name to generate the disk name. Each disk name will be in format _. NameSuffix name must start and finish with an alphanumeric character and can only contain letters, numbers, underscores, periods or hyphens. The overall disk name must not exceed 80 chars in length.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "diskSizeGB": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", + Description: "diskSizeGB is the size in GB to assign to the data disk.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "metadata": { + "managedDisk": { SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Description: "managedDisk specifies the Managed Disk parameters for the data disk. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is a ManagedDisk with with storageAccountType: \"Premium_LRS\" and diskEncryptionSet.id: \"Default\".", Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + Ref: ref("github.com/openshift/api/machine/v1beta1.DataDiskManagedDiskParameters"), }, }, - "spec": { + "lun": { SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.MachineSpec"), + Description: "lun Specifies the logical unit number of the data disk. This value is used to identify data disks within the VM and therefore must be unique for each data disk attached to a VM. This value is also needed for referencing the data disks devices within userdata to perform disk initialization through Ignition (e.g. partition/format/mount). The value must be between 0 and 63.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "status": { + "cachingType": { SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.MachineStatus"), + Description: "cachingType specifies the caching requirements. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is CachingTypeNone.", + Type: []string{"string"}, + Format: "", + }, + }, + "deletionPolicy": { + SchemaProps: spec.SchemaProps{ + Description: "deletionPolicy specifies the data disk deletion policy upon Machine deletion. Possible values are \"Delete\",\"Detach\". When \"Delete\" is used the data disk is deleted when the Machine is deleted. When \"Detach\" is used the data disk is detached from the Machine and retained when the Machine is deleted.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, + Required: []string{"nameSuffix", "diskSizeGB", "lun", "deletionPolicy"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.MachineSpec", "github.com/openshift/api/machine/v1beta1.MachineStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/machine/v1beta1.DataDiskManagedDiskParameters"}, } } -func schema_openshift_api_machine_v1beta1_MachineHealthCheck(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_DataDiskManagedDiskParameters(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineHealthCheck is the Schema for the machinehealthchecks API Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "DataDiskManagedDiskParameters is the parameters of a DataDisk managed disk.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { + "storageAccountType": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "storageAccountType is the storage account type to use. Possible values include \"Standard_LRS\", \"Premium_LRS\" and \"UltraSSD_LRS\".", + Default: "", Type: []string{"string"}, Format: "", }, }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), - }, - }, - "spec": { - SchemaProps: spec.SchemaProps{ - Description: "Specification of machine health check policy", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.MachineHealthCheckSpec"), - }, - }, - "status": { + "diskEncryptionSet": { SchemaProps: spec.SchemaProps{ - Description: "Most recently observed status of MachineHealthCheck resource", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.MachineHealthCheckStatus"), + Description: "diskEncryptionSet is the disk encryption set properties. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is a DiskEncryptionSet with id: \"Default\".", + Ref: ref("github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"), }, }, }, + Required: []string{"storageAccountType"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.MachineHealthCheckSpec", "github.com/openshift/api/machine/v1beta1.MachineHealthCheckStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"}, } } -func schema_openshift_api_machine_v1beta1_MachineHealthCheckList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_DiskEncryptionSetParameters(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineHealthCheckList contains a list of MachineHealthCheck Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "DiskEncryptionSetParameters is the disk encryption set properties", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { + "id": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "id is the disk encryption set ID Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is: \"Default\".", Type: []string{"string"}, Format: "", }, }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), - }, - }, - "items": { - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.MachineHealthCheck"), - }, - }, - }, - }, - }, }, - Required: []string{"items"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.MachineHealthCheck", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_machine_v1beta1_MachineHealthCheckSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_DiskSettings(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineHealthCheckSpec defines the desired state of MachineHealthCheck", + Description: "DiskSettings describe ephemeral disk settings for the os disk.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "selector": { - SchemaProps: spec.SchemaProps{ - Description: "Label selector to match machines whose health will be exercised. Note: An empty selector will match all machines.", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), - }, - }, - "unhealthyConditions": { - SchemaProps: spec.SchemaProps{ - Description: "unhealthyConditions contains a list of the conditions that determine whether a node is considered unhealthy. The conditions are combined in a logical OR, i.e. if any of the conditions is met, the node is unhealthy.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.UnhealthyCondition"), - }, - }, - }, - }, - }, - "maxUnhealthy": { - SchemaProps: spec.SchemaProps{ - Description: "Any farther remediation is only allowed if at most \"MaxUnhealthy\" machines selected by \"selector\" are not healthy. Expects either a postive integer value or a percentage value. Percentage values must be positive whole numbers and are capped at 100%. Both 0 and 0% are valid and will block all remediation.", - Ref: ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"), - }, - }, - "nodeStartupTimeout": { - SchemaProps: spec.SchemaProps{ - Description: "Machines older than this duration without a node will be considered to have failed and will be remediated. To prevent Machines without Nodes from being removed, disable startup checks by setting this value explicitly to \"0\". Expects an unsigned duration string of decimal numbers each with optional fraction and a unit suffix, eg \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"), - }, - }, - "remediationTemplate": { + "ephemeralStorageLocation": { SchemaProps: spec.SchemaProps{ - Description: "remediationTemplate is a reference to a remediation template provided by an infrastructure provider.\n\nThis field is completely optional, when filled, the MachineHealthCheck controller creates a new object from the template referenced and hands off remediation of the machine to a controller that lives outside of Machine API Operator.", - Ref: ref("k8s.io/api/core/v1.ObjectReference"), + Description: "ephemeralStorageLocation enables ephemeral OS when set to 'Local'. Possible values include: 'Local'. See https://docs.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks for full details. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is that disks are saved to remote Azure storage.", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"selector", "unhealthyConditions"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.UnhealthyCondition", "k8s.io/api/core/v1.ObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector", "k8s.io/apimachinery/pkg/util/intstr.IntOrString"}, } } -func schema_openshift_api_machine_v1beta1_MachineHealthCheckStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_EBSBlockDeviceSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineHealthCheckStatus defines the observed state of MachineHealthCheck", + Description: "EBSBlockDeviceSpec describes a block device for an EBS volume. https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EbsBlockDevice", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "expectedMachines": { + "deleteOnTermination": { SchemaProps: spec.SchemaProps{ - Description: "total number of machines counted by this machine health check", - Type: []string{"integer"}, - Format: "int32", + Description: "Indicates whether the EBS volume is deleted on machine termination.\n\nDeprecated: setting this field has no effect.", + Type: []string{"boolean"}, + Format: "", }, }, - "currentHealthy": { + "encrypted": { SchemaProps: spec.SchemaProps{ - Description: "total number of machines counted by this machine health check", - Type: []string{"integer"}, - Format: "int32", + Description: "Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes may only be attached to machines that support Amazon EBS encryption.", + Type: []string{"boolean"}, + Format: "", }, }, - "remediationsAllowed": { + "kmsKey": { SchemaProps: spec.SchemaProps{ - Description: "remediationsAllowed is the number of further remediations allowed by this machine health check before maxUnhealthy short circuiting will be applied", - Default: 0, + Description: "Indicates the KMS key that should be used to encrypt the Amazon EBS volume.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.AWSResourceReference"), + }, + }, + "iops": { + SchemaProps: spec.SchemaProps{ + Description: "The number of I/O operations per second (IOPS) that the volume supports. For io1, this represents the number of IOPS that are provisioned for the volume. For gp2, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. For more information about General Purpose SSD baseline performance, I/O credits, and bursting, see Amazon EBS Volume Types (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the Amazon Elastic Compute Cloud User Guide.\n\nMinimal and maximal IOPS for io1 and gp2 are constrained. Please, check https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html for precise boundaries for individual volumes.\n\nCondition: This parameter is required for requests to create io1 volumes; it is not used in requests to create gp2, st1, sc1, or standard volumes.", Type: []string{"integer"}, - Format: "int32", + Format: "int64", }, }, - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - }, + "volumeSize": { + SchemaProps: spec.SchemaProps{ + Description: "The size of the volume, in GiB.\n\nConstraints: 1-16384 for General Purpose SSD (gp2), 4-16384 for Provisioned IOPS SSD (io1), 500-16384 for Throughput Optimized HDD (st1), 500-16384 for Cold HDD (sc1), and 1-1024 for Magnetic (standard) volumes. If you specify a snapshot, the volume size must be equal to or larger than the snapshot size.\n\nDefault: If you're creating the volume from a snapshot and don't specify a volume size, the default is the snapshot size.", + Type: []string{"integer"}, + Format: "int64", }, + }, + "volumeType": { SchemaProps: spec.SchemaProps{ - Description: "conditions defines the current state of the MachineHealthCheck", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.Condition"), - }, - }, - }, + Description: "The volume type: gp2, io1, st1, sc1, or standard. Default: standard", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"expectedMachines", "currentHealthy"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.Condition"}, + "github.com/openshift/api/machine/v1beta1.AWSResourceReference"}, } } -func schema_openshift_api_machine_v1beta1_MachineList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_Filter(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineList contains a list of Machine Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "Filter is a filter used to identify an AWS resource", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "name of the filter. Filter names are case-sensitive.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), - }, - }, - "items": { + "values": { SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, + Description: "values includes one or more filter values. Filter values are case-sensitive.", + Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.Machine"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, }, - Required: []string{"items"}, + Required: []string{"name"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.Machine", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_machine_v1beta1_MachineSet(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_GCPDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineSet ensures that a specified number of machines replicas are running at any given time. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "GCPDisk describes disks for GCP.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "autoDelete": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, + Description: "autoDelete indicates if the disk will be auto-deleted when the instance is deleted (default false).", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, - "apiVersion": { + "boot": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "boot indicates if this is a boot disk (default false).", + Default: false, + Type: []string{"boolean"}, + Format: "", + }, + }, + "sizeGb": { + SchemaProps: spec.SchemaProps{ + Description: "sizeGb is the size of the disk (in GB).", + Default: 0, + Type: []string{"integer"}, + Format: "int64", + }, + }, + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type is the type of the disk (eg: pd-standard).", + Default: "", Type: []string{"string"}, Format: "", }, }, - "metadata": { + "image": { SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + Description: "image is the source image to create this disk.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "spec": { + "labels": { SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.MachineSetSpec"), + Description: "labels list of labels to apply to the disk.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "status": { + "encryptionKey": { SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.MachineSetStatus"), + Description: "encryptionKey is the customer-supplied encryption key of the disk.", + Ref: ref("github.com/openshift/api/machine/v1beta1.GCPEncryptionKeyReference"), }, }, }, + Required: []string{"autoDelete", "boot", "sizeGb", "type", "image", "labels"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.MachineSetSpec", "github.com/openshift/api/machine/v1beta1.MachineSetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/machine/v1beta1.GCPEncryptionKeyReference"}, } } -func schema_openshift_api_machine_v1beta1_MachineSetList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_GCPEncryptionKeyReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineSetList contains a list of MachineSet Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "GCPEncryptionKeyReference describes the encryptionKey to use for a disk's encryption.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { + "kmsKey": { SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + Description: "KMSKeyName is the reference KMS key, in the format", + Ref: ref("github.com/openshift/api/machine/v1beta1.GCPKMSKeyReference"), }, }, - "items": { + "kmsKeyServiceAccount": { SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.MachineSet"), - }, - }, - }, + Description: "kmsKeyServiceAccount is the service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used. See https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_service_account for details on the default service account.", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"items"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.MachineSet", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + "github.com/openshift/api/machine/v1beta1.GCPKMSKeyReference"}, } } -func schema_openshift_api_machine_v1beta1_MachineSetSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_GCPGPUConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineSetSpec defines the desired state of MachineSet", + Description: "GCPGPUConfig describes type and count of GPUs attached to the instance on GCP.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "replicas": { + "count": { SchemaProps: spec.SchemaProps{ - Description: "replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1.", + Description: "count is the number of GPUs to be attached to an instance.", + Default: 0, Type: []string{"integer"}, Format: "int32", }, }, - "minReadySeconds": { + "type": { SchemaProps: spec.SchemaProps{ - Description: "minReadySeconds is the minimum number of seconds for which a newly created machine should be ready. Defaults to 0 (machine will be considered available as soon as it is ready)", - Type: []string{"integer"}, - Format: "int32", + Description: "type is the type of GPU to be attached to an instance. Supported GPU types are: nvidia-tesla-k80, nvidia-tesla-p100, nvidia-tesla-v100, nvidia-tesla-p4, nvidia-tesla-t4", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "deletePolicy": { + }, + Required: []string{"count", "type"}, + }, + }, + } +} + +func schema_openshift_api_machine_v1beta1_GCPKMSKeyReference(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "GCPKMSKeyReference gathers required fields for looking up a GCP KMS Key", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { SchemaProps: spec.SchemaProps{ - Description: "deletePolicy defines the policy used to identify nodes to delete when downscaling. Defaults to \"Random\". Valid values are \"Random, \"Newest\", \"Oldest\"", + Description: "name is the name of the customer managed encryption key to be used for the disk encryption.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "selector": { + "keyRing": { SchemaProps: spec.SchemaProps{ - Description: "selector is a label query over machines that should match the replica count. Label keys and values that must match in order to be controlled by this MachineSet. It must match the machine template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + Description: "keyRing is the name of the KMS Key Ring which the KMS Key belongs to.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "template": { + "projectID": { SchemaProps: spec.SchemaProps{ - Description: "template is the object that describes the machine that will be created if insufficient replicas are detected.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.MachineTemplateSpec"), + Description: "projectID is the ID of the Project in which the KMS Key Ring exists. Defaults to the VM ProjectID if not set.", + Type: []string{"string"}, + Format: "", }, }, - "authoritativeAPI": { + "location": { SchemaProps: spec.SchemaProps{ - Description: "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI and ClusterAPI. When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. Currently the authoritative API determines which controller will manage the resource, this will change in a future release. To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`.", - Default: "MachineAPI", + Description: "location is the GCP location in which the Key Ring exists.", + Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"selector"}, + Required: []string{"name", "keyRing", "location"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.MachineTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"}, } } -func schema_openshift_api_machine_v1beta1_MachineSetStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_GCPMachineProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineSetStatus defines the observed state of MachineSet", + Description: "GCPMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field for an GCP virtual machine. It is used by the GCP machine actuator to create a single Machine. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "replicas": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "replicas is the most recently observed number of replicas.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", }, }, - "fullyLabeledReplicas": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "The number of replicas that have labels matching the labels of the machine template of the MachineSet.", - Type: []string{"integer"}, - Format: "int32", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, - "readyReplicas": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "The number of ready replicas for this MachineSet. A machine is considered ready when the node has been created and is \"Ready\".", - Type: []string{"integer"}, - Format: "int32", + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, - "availableReplicas": { + "userDataSecret": { SchemaProps: spec.SchemaProps{ - Description: "The number of available replicas (ready for at least minReadySeconds) for this MachineSet.", - Type: []string{"integer"}, - Format: "int32", + Description: "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", + Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), }, }, - "observedGeneration": { + "credentialsSecret": { SchemaProps: spec.SchemaProps{ - Description: "observedGeneration reflects the generation of the most recently observed MachineSet.", - Type: []string{"integer"}, - Format: "int64", + Description: "credentialsSecret is a reference to the secret with GCP credentials.", + Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), }, }, - "errorReason": { + "canIPForward": { SchemaProps: spec.SchemaProps{ - Description: "In the event that there is a terminal problem reconciling the replicas, both ErrorReason and ErrorMessage will be set. ErrorReason will be populated with a succinct value suitable for machine interpretation, while ErrorMessage will contain a more verbose string suitable for logging and human consumption.\n\nThese fields should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the MachineTemplate's spec or the configuration of the machine controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the machine controller, or the responsible machine controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines can be added as events to the MachineSet object and/or logged in the controller's output.", - Type: []string{"string"}, + Description: "canIPForward Allows this instance to send and receive packets with non-matching destination or source IPs. This is required if you plan to use this instance to forward routes.", + Default: false, + Type: []string{"boolean"}, Format: "", }, }, - "errorMessage": { + "deletionProtection": { SchemaProps: spec.SchemaProps{ - Type: []string{"string"}, - Format: "", + Description: "deletionProtection whether the resource should be protected against deletion.", + Default: false, + Type: []string{"boolean"}, + Format: "", }, }, - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - }, - }, + "disks": { SchemaProps: spec.SchemaProps{ - Description: "conditions defines the current state of the MachineSet", + Description: "disks is a list of disks to be attached to the VM.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.Condition"), + Ref: ref("github.com/openshift/api/machine/v1beta1.GCPDisk"), }, }, }, }, }, - "authoritativeAPI": { + "labels": { SchemaProps: spec.SchemaProps{ - Description: "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.", - Type: []string{"string"}, - Format: "", + Description: "labels list of labels to apply to the VM.", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "synchronizedGeneration": { + "gcpMetadata": { SchemaProps: spec.SchemaProps{ - Description: "synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.", - Type: []string{"integer"}, - Format: "int64", + Description: "Metadata key/value pairs to apply to the VM.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/openshift/api/machine/v1beta1.GCPMetadata"), + }, + }, + }, }, }, - }, - Required: []string{"replicas"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.Condition"}, - } -} - -func schema_openshift_api_machine_v1beta1_MachineSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "MachineSpec defines the desired state of Machine", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "metadata": { + "networkInterfaces": { SchemaProps: spec.SchemaProps{ - Description: "ObjectMeta will autopopulate the Node created. Use this to indicate what labels, annotations, name prefix, etc., should be used when creating the Node.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.ObjectMeta"), + Description: "networkInterfaces is a list of network interfaces to be attached to the VM.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/openshift/api/machine/v1beta1.GCPNetworkInterface"), + }, + }, + }, }, }, - "lifecycleHooks": { + "serviceAccounts": { SchemaProps: spec.SchemaProps{ - Description: "lifecycleHooks allow users to pause operations on the machine at certain predefined points within the machine lifecycle.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.LifecycleHooks"), + Description: "serviceAccounts is a list of GCP service accounts to be used by the VM.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.GCPServiceAccount"), + }, + }, + }, }, }, - "taints": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", + "tags": { + SchemaProps: spec.SchemaProps{ + Description: "tags list of network tags to apply to the VM.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, }, }, + }, + "targetPools": { SchemaProps: spec.SchemaProps{ - Description: "The list of the taints to be applied to the corresponding Node in additive manner. This list will not overwrite any other taints added to the Node on an ongoing basis by other entities. These taints should be actively reconciled e.g. if you ask the machine controller to apply a taint and then manually remove the taint the machine controller will put it back) but not have the machine controller remove any taints", + Description: "targetPools are used for network TCP/UDP load balancing. A target pool references member instances, an associated legacy HttpHealthCheck resource, and, optionally, a backup target pool", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/api/core/v1.Taint"), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, - "providerSpec": { + "machineType": { SchemaProps: spec.SchemaProps{ - Description: "providerSpec details Provider-specific configuration to use during node creation.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.ProviderSpec"), + Description: "machineType is the machine type to use for the VM.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "providerID": { + "region": { SchemaProps: spec.SchemaProps{ - Description: "providerID is the identification ID of the machine provided by the provider. This field must match the provider ID as seen on the node object corresponding to this machine. This field is required by higher level consumers of cluster-api. Example use case is cluster autoscaler with cluster-api as provider. Clean-up logic in the autoscaler compares machines to nodes to find out machines at provider which could not get registered as Kubernetes nodes. With cluster-api as a generic out-of-tree provider for autoscaler, this field is required by autoscaler to be able to have a provider view of the list of machines. Another list of nodes is queried from the k8s apiserver and then a comparison is done to find out unregistered machines and are marked for delete. This field will be set by the actuators and consumed by higher level entities like autoscaler that will be interfacing with cluster-api as generic provider.", + Description: "region is the region in which the GCP machine provider will create the VM.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "authoritativeAPI": { + "zone": { SchemaProps: spec.SchemaProps{ - Description: "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI and ClusterAPI. When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. Currently the authoritative API determines which controller will manage the resource, this will change in a future release. To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`.", - Default: "MachineAPI", + Description: "zone is the zone in which the GCP machine provider will create the VM.", + Default: "", Type: []string{"string"}, Format: "", }, }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.LifecycleHooks", "github.com/openshift/api/machine/v1beta1.ObjectMeta", "github.com/openshift/api/machine/v1beta1.ProviderSpec", "k8s.io/api/core/v1.Taint"}, - } -} - -func schema_openshift_api_machine_v1beta1_MachineStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "MachineStatus defines the observed state of Machine", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "nodeRef": { + "projectID": { SchemaProps: spec.SchemaProps{ - Description: "nodeRef will point to the corresponding Node if it exists.", - Ref: ref("k8s.io/api/core/v1.ObjectReference"), + Description: "projectID is the project in which the GCP machine provider will create the VM.", + Type: []string{"string"}, + Format: "", }, }, - "lastUpdated": { + "gpus": { SchemaProps: spec.SchemaProps{ - Description: "lastUpdated identifies when this status was last observed.", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + Description: "gpus is a list of GPUs to be attached to the VM.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.GCPGPUConfig"), + }, + }, + }, }, }, - "errorReason": { + "preemptible": { SchemaProps: spec.SchemaProps{ - Description: "errorReason will be set in the event that there is a terminal problem reconciling the Machine and will contain a succinct value suitable for machine interpretation.\n\nThis field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the Machine's spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output.", + Description: "preemptible indicates if created instance is preemptible.", + Type: []string{"boolean"}, + Format: "", + }, + }, + "onHostMaintenance": { + SchemaProps: spec.SchemaProps{ + Description: "onHostMaintenance determines the behavior when a maintenance event occurs that might cause the instance to reboot. This is required to be set to \"Terminate\" if you want to provision machine with attached GPUs. Otherwise, allowed values are \"Migrate\" and \"Terminate\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is \"Migrate\".", Type: []string{"string"}, Format: "", }, }, - "errorMessage": { + "restartPolicy": { SchemaProps: spec.SchemaProps{ - Description: "errorMessage will be set in the event that there is a terminal problem reconciling the Machine and will contain a more verbose string suitable for logging and human consumption.\n\nThis field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the Machine's spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output.", + Description: "restartPolicy determines the behavior when an instance crashes or the underlying infrastructure provider stops the instance as part of a maintenance event (default \"Always\"). Cannot be \"Always\" with preemptible instances. Otherwise, allowed values are \"Always\" and \"Never\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is \"Always\". RestartPolicy represents AutomaticRestart in GCP compute api", Type: []string{"string"}, Format: "", }, }, - "providerStatus": { + "shieldedInstanceConfig": { SchemaProps: spec.SchemaProps{ - Description: "providerStatus details a Provider-specific status. It is recommended that providers maintain their own versioned API types that should be serialized/deserialized from this field.", - Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + Description: "shieldedInstanceConfig is the Shielded VM configuration for the VM", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.GCPShieldedInstanceConfig"), }, }, - "addresses": { + "confidentialCompute": { + SchemaProps: spec.SchemaProps{ + Description: "confidentialCompute is an optional field defining whether the instance should have confidential compute enabled or not, and the confidential computing technology of choice. Allowed values are omitted, Disabled, Enabled, AMDEncryptedVirtualization, AMDEncryptedVirtualizationNestedPaging, and IntelTrustedDomainExtensions When set to Disabled, the machine will not be configured to be a confidential computing instance. When set to Enabled, the machine will be configured as a confidential computing instance with no preference on the confidential compute policy used. In this mode, the platform chooses a default that is subject to change over time. Currently, the default is to use AMD Secure Encrypted Virtualization. When set to AMDEncryptedVirtualization, the machine will be configured as a confidential computing instance with AMD Secure Encrypted Virtualization (AMD SEV) as the confidential computing technology. When set to AMDEncryptedVirtualizationNestedPaging, the machine will be configured as a confidential computing instance with AMD Secure Encrypted Virtualization Secure Nested Paging (AMD SEV-SNP) as the confidential computing technology. When set to IntelTrustedDomainExtensions, the machine will be configured as a confidential computing instance with Intel Trusted Domain Extensions (Intel TDX) as the confidential computing technology. If any value other than Disabled is set the selected machine type must support that specific confidential computing technology. The machine series supporting confidential computing technologies can be checked at https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#all-confidential-vm-instances Currently, AMDEncryptedVirtualization is supported in c2d, n2d, and c3d machines. AMDEncryptedVirtualizationNestedPaging is supported in n2d machines. IntelTrustedDomainExtensions is supported in c3 machines. If any value other than Disabled is set, the selected region must support that specific confidential computing technology. The list of regions supporting confidential computing technologies can be checked at https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#supported-zones If any value other than Disabled is set onHostMaintenance is required to be set to \"Terminate\". If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled.", + Type: []string{"string"}, + Format: "", + }, + }, + "resourceManagerTags": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", + "x-kubernetes-list-map-keys": []interface{}{ + "key", + }, + "x-kubernetes-list-type": "map", }, }, SchemaProps: spec.SchemaProps{ - Description: "addresses is a list of addresses assigned to the machine. Queried from cloud provider, if available.", + Description: "resourceManagerTags is an optional list of tags to apply to the GCP resources created for the cluster. See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on tagging GCP resources. GCP supports a maximum of 50 tags per resource.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("k8s.io/api/core/v1.NodeAddress"), + Ref: ref("github.com/openshift/api/machine/v1beta1.ResourceManagerTag"), }, }, }, }, }, - "lastOperation": { + }, + Required: []string{"canIPForward", "deletionProtection", "serviceAccounts", "machineType", "region", "zone"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.GCPDisk", "github.com/openshift/api/machine/v1beta1.GCPGPUConfig", "github.com/openshift/api/machine/v1beta1.GCPMetadata", "github.com/openshift/api/machine/v1beta1.GCPNetworkInterface", "github.com/openshift/api/machine/v1beta1.GCPServiceAccount", "github.com/openshift/api/machine/v1beta1.GCPShieldedInstanceConfig", "github.com/openshift/api/machine/v1beta1.ResourceManagerTag", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_machine_v1beta1_GCPMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "GCPMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains GCP-specific status information. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { SchemaProps: spec.SchemaProps{ - Description: "lastOperation describes the last-operation performed by the machine-controller. This API should be useful as a history in terms of the latest operation performed on the specific machine. It should also convey the state of the latest-operation for example if it is still on-going, failed or completed successfully.", - Ref: ref("github.com/openshift/api/machine/v1beta1.LastOperation"), + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", }, }, - "phase": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "phase represents the current phase of machine actuation. One of: Failed, Provisioning, Provisioned, Running, Deleting", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "instanceId": { + SchemaProps: spec.SchemaProps{ + Description: "instanceId is the ID of the instance in GCP", + Type: []string{"string"}, + Format: "", + }, + }, + "instanceState": { + SchemaProps: spec.SchemaProps{ + Description: "instanceState is the provisioning state of the GCP Instance.", Type: []string{"string"}, Format: "", }, @@ -39329,79 +39964,86 @@ func schema_openshift_api_machine_v1beta1_MachineStatus(ref common.ReferenceCall }, }, SchemaProps: spec.SchemaProps{ - Description: "conditions defines the current state of the Machine", + Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.Condition"), + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), }, }, }, }, }, - "authoritativeAPI": { - SchemaProps: spec.SchemaProps{ - Description: "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.", - Type: []string{"string"}, - Format: "", - }, - }, - "synchronizedGeneration": { - SchemaProps: spec.SchemaProps{ - Description: "synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.", - Type: []string{"integer"}, - Format: "int64", - }, - }, }, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.Condition", "github.com/openshift/api/machine/v1beta1.LastOperation", "k8s.io/api/core/v1.NodeAddress", "k8s.io/api/core/v1.ObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Time", "k8s.io/apimachinery/pkg/runtime.RawExtension"}, + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1beta1_MachineTemplateSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_GCPMetadata(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineTemplateSpec describes the data needed to create a Machine from a template", + Description: "GCPMetadata describes metadata for GCP.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "metadata": { + "key": { SchemaProps: spec.SchemaProps{ - Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.ObjectMeta"), + Description: "key is the metadata key.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "spec": { + "value": { SchemaProps: spec.SchemaProps{ - Description: "Specification of the desired behavior of the machine. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.MachineSpec"), + Description: "value is the metadata value.", + Type: []string{"string"}, + Format: "", }, }, }, + Required: []string{"key", "value"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.MachineSpec", "github.com/openshift/api/machine/v1beta1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1beta1_MetadataServiceOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_GCPNetworkInterface(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MetadataServiceOptions defines the options available to a user when configuring Instance Metadata Service (IMDS) Options.", + Description: "GCPNetworkInterface describes network interfaces for GCP", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "authentication": { + "publicIP": { SchemaProps: spec.SchemaProps{ - Description: "authentication determines whether or not the host requires the use of authentication when interacting with the metadata service. When using authentication, this enforces v2 interaction method (IMDSv2) with the metadata service. When omitted, this means the user has no opinion and the value is left to the platform to choose a good default, which is subject to change over time. The current default is optional. At this point this field represents `HttpTokens` parameter from `InstanceMetadataOptionsRequest` structure in AWS EC2 API https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html", + Description: "publicIP indicates if true a public IP will be used", + Type: []string{"boolean"}, + Format: "", + }, + }, + "network": { + SchemaProps: spec.SchemaProps{ + Description: "network is the network name.", + Type: []string{"string"}, + Format: "", + }, + }, + "projectID": { + SchemaProps: spec.SchemaProps{ + Description: "projectID is the project in which the GCP machine provider will create the VM.", + Type: []string{"string"}, + Format: "", + }, + }, + "subnetwork": { + SchemaProps: spec.SchemaProps{ + Description: "subnetwork is the subnetwork name.", Type: []string{"string"}, Format: "", }, @@ -39412,277 +40054,256 @@ func schema_openshift_api_machine_v1beta1_MetadataServiceOptions(ref common.Refe } } -func schema_openshift_api_machine_v1beta1_NetworkDeviceSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_GCPServiceAccount(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "NetworkDeviceSpec defines the network configuration for a virtual machine's network device.", + Description: "GCPServiceAccount describes service accounts for GCP.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "networkName": { - SchemaProps: spec.SchemaProps{ - Description: "networkName is the name of the vSphere network or port group to which the network device will be connected, for example, port-group-1. When not provided, the vCenter API will attempt to select a default network. The available networks (port groups) can be listed using `govc ls 'network/*'`", - Type: []string{"string"}, - Format: "", - }, - }, - "gateway": { + "email": { SchemaProps: spec.SchemaProps{ - Description: "gateway is an IPv4 or IPv6 address which represents the subnet gateway, for example, 192.168.1.1.", + Description: "email is the service account email.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "ipAddrs": { - SchemaProps: spec.SchemaProps{ - Description: "ipAddrs is a list of one or more IPv4 and/or IPv6 addresses and CIDR to assign to this device, for example, 192.168.1.100/24. IP addresses provided via ipAddrs are intended to allow explicit assignment of a machine's IP address. IP pool configurations provided via addressesFromPool, however, defer IP address assignment to an external controller. If both addressesFromPool and ipAddrs are empty or not defined, DHCP will be used to assign an IP address. If both ipAddrs and addressesFromPools are defined, the IP addresses associated with ipAddrs will be applied first followed by IP addresses from addressesFromPools.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "nameservers": { - SchemaProps: spec.SchemaProps{ - Description: "nameservers is a list of IPv4 and/or IPv6 addresses used as DNS nameservers, for example, 8.8.8.8. a nameserver is not provided by a fulfilled IPAddressClaim. If DHCP is not the source of IP addresses for this network device, nameservers should include a valid nameserver.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "addressesFromPools": { + "scopes": { SchemaProps: spec.SchemaProps{ - Description: "addressesFromPools is a list of references to IP pool types and instances which are handled by an external controller. addressesFromPool configurations provided via addressesFromPools defer IP address assignment to an external controller. IP addresses provided via ipAddrs, however, are intended to allow explicit assignment of a machine's IP address. If both addressesFromPool and ipAddrs are empty or not defined, DHCP will assign an IP address. If both ipAddrs and addressesFromPools are defined, the IP addresses associated with ipAddrs will be applied first followed by IP addresses from addressesFromPools.", + Description: "scopes list of scopes to be assigned to the service account.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.AddressesFromPool"), + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, }, + Required: []string{"email", "scopes"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.AddressesFromPool"}, } } -func schema_openshift_api_machine_v1beta1_NetworkSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_GCPShieldedInstanceConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "NetworkSpec defines the virtual machine's network configuration.", + Description: "GCPShieldedInstanceConfig describes the shielded VM configuration of the instance on GCP. Shielded VM configuration allow users to enable and disable Secure Boot, vTPM, and Integrity Monitoring.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "devices": { + "secureBoot": { SchemaProps: spec.SchemaProps{ - Description: "devices defines the virtual machine's network interfaces.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.NetworkDeviceSpec"), - }, - }, - }, + Description: "secureBoot Defines whether the instance should have secure boot enabled. Secure Boot verify the digital signature of all boot components, and halting the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled.", + Type: []string{"string"}, + Format: "", + }, + }, + "virtualizedTrustedPlatformModule": { + SchemaProps: spec.SchemaProps{ + Description: "virtualizedTrustedPlatformModule enable virtualized trusted platform module measurements to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. This is required to be set to \"Enabled\" if IntegrityMonitoring is enabled. If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled.", + Type: []string{"string"}, + Format: "", + }, + }, + "integrityMonitoring": { + SchemaProps: spec.SchemaProps{ + Description: "integrityMonitoring determines whether the instance should have integrity monitoring that verify the runtime boot integrity. Compares the most recent boot measurements to the integrity policy baseline and return a pair of pass/fail results depending on whether they match or not. If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled.", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"devices"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.NetworkDeviceSpec"}, } } -func schema_openshift_api_machine_v1beta1_OSDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_Image(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "Image is a mirror of azure sdk compute.ImageReference", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "osType": { + "publisher": { SchemaProps: spec.SchemaProps{ - Description: "osType is the operating system type of the OS disk. Possible values include \"Linux\" and \"Windows\".", + Description: "publisher is the name of the organization that created the image", Default: "", Type: []string{"string"}, Format: "", }, }, - "managedDisk": { + "offer": { SchemaProps: spec.SchemaProps{ - Description: "managedDisk specifies the Managed Disk parameters for the OS disk.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.OSDiskManagedDiskParameters"), + Description: "offer specifies the name of a group of related images created by the publisher. For example, UbuntuServer, WindowsServer", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "diskSizeGB": { + "sku": { SchemaProps: spec.SchemaProps{ - Description: "diskSizeGB is the size in GB to assign to the data disk.", - Default: 0, - Type: []string{"integer"}, - Format: "int32", + Description: "sku specifies an instance of an offer, such as a major release of a distribution. For example, 18.04-LTS, 2019-Datacenter", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "diskSettings": { + "version": { SchemaProps: spec.SchemaProps{ - Description: "diskSettings describe ephemeral disk settings for the os disk.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.DiskSettings"), + Description: "version specifies the version of an image sku. The allowed formats are Major.Minor.Build or 'latest'. Major, Minor, and Build are decimal numbers. Specify 'latest' to use the latest version of an image available at deploy time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "cachingType": { + "resourceID": { SchemaProps: spec.SchemaProps{ - Description: "cachingType specifies the caching requirements. Possible values include: 'None', 'ReadOnly', 'ReadWrite'. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is `None`.", + Description: "resourceID specifies an image to use by ID", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type identifies the source of the image and related information, such as purchase plans. Valid values are \"ID\", \"MarketplaceWithPlan\", \"MarketplaceNoPlan\", and omitted, which means no opinion and the platform chooses a good default which may change over time. Currently that default is \"MarketplaceNoPlan\" if publisher data is supplied, or \"ID\" if not. For more information about purchase plans, see: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/cli-ps-findimage#check-the-purchase-plan-information", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"osType", "managedDisk", "diskSizeGB"}, + Required: []string{"publisher", "offer", "sku", "version", "resourceID"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.DiskSettings", "github.com/openshift/api/machine/v1beta1.OSDiskManagedDiskParameters"}, } } -func schema_openshift_api_machine_v1beta1_OSDiskManagedDiskParameters(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_LastOperation(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OSDiskManagedDiskParameters is the parameters of a OSDisk managed disk.", + Description: "LastOperation represents the detail of the last performed operation on the MachineObject.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "storageAccountType": { + "description": { SchemaProps: spec.SchemaProps{ - Description: "storageAccountType is the storage account type to use. Possible values include \"Standard_LRS\", \"Premium_LRS\".", - Default: "", + Description: "description is the human-readable description of the last operation.", Type: []string{"string"}, Format: "", }, }, - "diskEncryptionSet": { + "lastUpdated": { SchemaProps: spec.SchemaProps{ - Description: "diskEncryptionSet is the disk encryption set properties", - Ref: ref("github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"), + Description: "lastUpdated is the timestamp at which LastOperation API was last-updated.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), }, }, - "securityProfile": { + "state": { SchemaProps: spec.SchemaProps{ - Description: "securityProfile specifies the security profile for the managed disk.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.VMDiskSecurityProfile"), + Description: "state is the current status of the last performed operation. E.g. Processing, Failed, Successful etc", + Type: []string{"string"}, + Format: "", + }, + }, + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type is the type of operation which was last performed. E.g. Create, Delete, Update etc", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"storageAccountType"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters", "github.com/openshift/api/machine/v1beta1.VMDiskSecurityProfile"}, + "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, } } -func schema_openshift_api_machine_v1beta1_ObjectMeta(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_LifecycleHook(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create. This is a copy of customizable fields from metav1.ObjectMeta.\n\nObjectMeta is embedded in `Machine.Spec`, `MachineDeployment.Template` and `MachineSet.Template`, which are not top-level Kubernetes objects. Given that metav1.ObjectMeta has lots of special cases and read-only fields which end up in the generated CRD validation, having it as a subset simplifies the API and some issues that can impact user experience.\n\nDuring the [upgrade to controller-tools@v2](https://github.com/kubernetes-sigs/cluster-api/pull/1054) for v1alpha2, we noticed a failure would occur running Cluster API test suite against the new CRDs, specifically `spec.metadata.creationTimestamp in body must be of type string: \"null\"`. The investigation showed that `controller-tools@v2` behaves differently than its previous version when handling types from [metav1](k8s.io/apimachinery/pkg/apis/meta/v1) package.\n\nIn more details, we found that embedded (non-top level) types that embedded `metav1.ObjectMeta` had validation properties, including for `creationTimestamp` (metav1.Time). The `metav1.Time` type specifies a custom json marshaller that, when IsZero() is true, returns `null` which breaks validation because the field isn't marked as nullable.\n\nIn future versions, controller-tools@v2 might allow overriding the type and validation for embedded types. When that happens, this hack should be revisited.", + Description: "LifecycleHook represents a single instance of a lifecycle hook", Type: []string{"object"}, Properties: map[string]spec.Schema{ "name": { SchemaProps: spec.SchemaProps{ - Description: "name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names", - Type: []string{"string"}, - Format: "", - }, - }, - "generateName": { - SchemaProps: spec.SchemaProps{ - Description: "generateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + Description: "name defines a unique name for the lifcycle hook. The name should be unique and descriptive, ideally 1-3 words, in CamelCase or it may be namespaced, eg. foo.example.com/CamelCase. Names must be unique and should only be managed by a single entity.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "namespace": { + "owner": { SchemaProps: spec.SchemaProps{ - Description: "namespace defines the space within each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces", + Description: "owner defines the owner of the lifecycle hook. This should be descriptive enough so that users can identify who/what is responsible for blocking the lifecycle. This could be the name of a controller (e.g. clusteroperator/etcd) or an administrator managing the hook.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "labels": { - SchemaProps: spec.SchemaProps{ - Description: "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, + }, + Required: []string{"name", "owner"}, + }, + }, + } +} + +func schema_openshift_api_machine_v1beta1_LifecycleHooks(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "LifecycleHooks allow users to pause operations on the machine at certain prefedined points within the machine lifecycle.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "preDrain": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", }, + "x-kubernetes-list-type": "map", }, }, - }, - "annotations": { SchemaProps: spec.SchemaProps{ - Description: "annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations", - Type: []string{"object"}, - AdditionalProperties: &spec.SchemaOrBool{ - Allows: true, + Description: "preDrain hooks prevent the machine from being drained. This also blocks further lifecycle events, such as termination.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.LifecycleHook"), }, }, }, }, }, - "ownerReferences": { + "preTerminate": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ "x-kubernetes-list-map-keys": []interface{}{ - "uid", + "name", }, - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "uid", - "x-kubernetes-patch-strategy": "merge", + "x-kubernetes-list-type": "map", }, }, SchemaProps: spec.SchemaProps{ - Description: "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + Description: "preTerminate hooks prevent the machine from being terminated. PreTerminate hooks be actioned after the Machine has been drained.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"), + Ref: ref("github.com/openshift/api/machine/v1beta1.LifecycleHook"), }, }, }, @@ -39692,935 +40313,1285 @@ func schema_openshift_api_machine_v1beta1_ObjectMeta(ref common.ReferenceCallbac }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"}, + "github.com/openshift/api/machine/v1beta1.LifecycleHook"}, } } -func schema_openshift_api_machine_v1beta1_Placement(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_LoadBalancerReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Placement indicates where to create the instance in AWS", + Description: "LoadBalancerReference is a reference to a load balancer on AWS.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "region": { - SchemaProps: spec.SchemaProps{ - Description: "region is the region to use to create the instance", - Type: []string{"string"}, - Format: "", - }, - }, - "availabilityZone": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "availabilityZone is the availability zone of the instance", - Type: []string{"string"}, - Format: "", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "tenancy": { + "type": { SchemaProps: spec.SchemaProps{ - Description: "tenancy indicates if instance should run on shared or single-tenant hardware. There are supported 3 options: default, dedicated and host.", - Type: []string{"string"}, - Format: "", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, + Required: []string{"name", "type"}, }, }, } } -func schema_openshift_api_machine_v1beta1_ProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_Machine(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ProviderSpec defines the configuration to use during node creation.", + Description: "Machine is the Schema for the machines API Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "value": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "value is an inlined, serialized representation of the resource configuration. It is recommended that providers maintain their own versioned API types that should be serialized/deserialized from this field, akin to component config.", - Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.MachineSpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.MachineStatus"), }, }, }, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/runtime.RawExtension"}, + "github.com/openshift/api/machine/v1beta1.MachineSpec", "github.com/openshift/api/machine/v1beta1.MachineStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1beta1_ResourceManagerTag(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_MachineHealthCheck(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ResourceManagerTag is a tag to apply to GCP resources created for the cluster.", + Description: "MachineHealthCheck is the Schema for the machinehealthchecks API Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "parentID": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "parentID is the ID of the hierarchical resource where the tags are defined e.g. at the Organization or the Project level. To find the Organization or Project ID ref https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects An OrganizationID can have a maximum of 32 characters and must consist of decimal numbers, and cannot have leading zeroes. A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, numbers, and hyphens, and must start with a letter, and cannot end with a hyphen.", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "key": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot be empty. Tag key must begin and end with an alphanumeric character, and must contain only uppercase, lowercase alphanumeric characters, and the following special characters `._-`.", - Default: "", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - "value": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "value is the value part of the tag. A tag value can have a maximum of 63 characters and cannot be empty. Tag value must begin and end with an alphanumeric character, and must contain only uppercase, lowercase alphanumeric characters, and the following special characters `_-.@%=+:,*#&(){}[]` and spaces.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, - }, - Required: []string{"parentID", "key", "value"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1beta1_SecurityProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "SecurityProfile specifies the Security profile settings for a virtual machine or virtual machine scale set.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "encryptionAtHost": { + "spec": { SchemaProps: spec.SchemaProps{ - Description: "encryptionAtHost indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState. Default is disabled.", - Type: []string{"boolean"}, - Format: "", + Description: "Specification of machine health check policy", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.MachineHealthCheckSpec"), }, }, - "settings": { + "status": { SchemaProps: spec.SchemaProps{ - Description: "settings specify the security type and the UEFI settings of the virtual machine. This field can be set for Confidential VMs and Trusted Launch for VMs.", + Description: "Most recently observed status of MachineHealthCheck resource", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.SecuritySettings"), + Ref: ref("github.com/openshift/api/machine/v1beta1.MachineHealthCheckStatus"), }, }, }, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.SecuritySettings"}, + "github.com/openshift/api/machine/v1beta1.MachineHealthCheckSpec", "github.com/openshift/api/machine/v1beta1.MachineHealthCheckStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1beta1_SecuritySettings(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_MachineHealthCheckList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "SecuritySettings define the security type and the UEFI settings of the virtual machine.", + Description: "MachineHealthCheckList contains a list of MachineHealthCheck Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "securityType": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "securityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UEFISettings. The default behavior is: UEFISettings will not be enabled unless this property is set.", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "confidentialVM": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "confidentialVM specifies the security configuration of the virtual machine. For more information regarding Confidential VMs, please refer to: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", - Ref: ref("github.com/openshift/api/machine/v1beta1.ConfidentialVM"), + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, - "trustedLaunch": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "trustedLaunch specifies the security configuration of the virtual machine. For more information regarding TrustedLaunch for VMs, please refer to: https://learn.microsoft.com/azure/virtual-machines/trusted-launch", - Ref: ref("github.com/openshift/api/machine/v1beta1.TrustedLaunch"), + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), }, }, - }, - Required: []string{"securityType"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "securityType", - "fields-to-discriminateBy": map[string]interface{}{ - "confidentialVM": "ConfidentialVM", - "trustedLaunch": "TrustedLaunch", + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.MachineHealthCheck"), + }, + }, }, }, }, }, + Required: []string{"items"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.ConfidentialVM", "github.com/openshift/api/machine/v1beta1.TrustedLaunch"}, + "github.com/openshift/api/machine/v1beta1.MachineHealthCheck", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_machine_v1beta1_SpotMarketOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_MachineHealthCheckSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "SpotMarketOptions defines the options available to a user when configuring Machines to run on Spot instances. Most users should provide an empty struct.", + Description: "MachineHealthCheckSpec defines the desired state of MachineHealthCheck", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "maxPrice": { + "selector": { SchemaProps: spec.SchemaProps{ - Description: "The maximum price the user is willing to pay for their instances Default: On-Demand price", - Type: []string{"string"}, - Format: "", + Description: "Label selector to match machines whose health will be exercised. Note: An empty selector will match all machines.", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), + }, + }, + "unhealthyConditions": { + SchemaProps: spec.SchemaProps{ + Description: "unhealthyConditions contains a list of the conditions that determine whether a node is considered unhealthy. The conditions are combined in a logical OR, i.e. if any of the conditions is met, the node is unhealthy.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.UnhealthyCondition"), + }, + }, + }, + }, + }, + "maxUnhealthy": { + SchemaProps: spec.SchemaProps{ + Description: "Any farther remediation is only allowed if at most \"MaxUnhealthy\" machines selected by \"selector\" are not healthy. Expects either a postive integer value or a percentage value. Percentage values must be positive whole numbers and are capped at 100%. Both 0 and 0% are valid and will block all remediation. Defaults to 100% if not set.", + Ref: ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"), + }, + }, + "nodeStartupTimeout": { + SchemaProps: spec.SchemaProps{ + Description: "Machines older than this duration without a node will be considered to have failed and will be remediated. To prevent Machines without Nodes from being removed, disable startup checks by setting this value explicitly to \"0\". Expects an unsigned duration string of decimal numbers each with optional fraction and a unit suffix, eg \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"), + }, + }, + "remediationTemplate": { + SchemaProps: spec.SchemaProps{ + Description: "remediationTemplate is a reference to a remediation template provided by an infrastructure provider.\n\nThis field is completely optional, when filled, the MachineHealthCheck controller creates a new object from the template referenced and hands off remediation of the machine to a controller that lives outside of Machine API Operator.", + Ref: ref("k8s.io/api/core/v1.ObjectReference"), }, }, }, + Required: []string{"selector", "unhealthyConditions"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.UnhealthyCondition", "k8s.io/api/core/v1.ObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector", "k8s.io/apimachinery/pkg/util/intstr.IntOrString"}, } } -func schema_openshift_api_machine_v1beta1_SpotVMOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_MachineHealthCheckStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "SpotVMOptions defines the options relevant to running the Machine on Spot VMs", + Description: "MachineHealthCheckStatus defines the observed state of MachineHealthCheck", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "maxPrice": { + "expectedMachines": { SchemaProps: spec.SchemaProps{ - Description: "maxPrice defines the maximum price the user is willing to pay for Spot VM instances", - Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), + Description: "total number of machines counted by this machine health check", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "currentHealthy": { + SchemaProps: spec.SchemaProps{ + Description: "total number of machines counted by this machine health check", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "remediationsAllowed": { + SchemaProps: spec.SchemaProps{ + Description: "remediationsAllowed is the number of further remediations allowed by this machine health check before maxUnhealthy short circuiting will be applied", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditions defines the current state of the MachineHealthCheck", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.Condition"), + }, + }, + }, }, }, }, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/api/resource.Quantity"}, + "github.com/openshift/api/machine/v1beta1.Condition"}, } } -func schema_openshift_api_machine_v1beta1_TagSpecification(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_MachineList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "TagSpecification is the name/value pair for a tag", + Description: "MachineList contains a list of Machine Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "name of the tag", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "value": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "value of the tag", - Default: "", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"name", "value"}, - }, - }, - } -} - -func schema_openshift_api_machine_v1beta1_TrustedLaunch(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "TrustedLaunch defines the UEFI settings for the virtual machine.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "uefiSettings": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.UEFISettings"), + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.Machine"), + }, + }, + }, }, }, }, - Required: []string{"uefiSettings"}, + Required: []string{"items"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.UEFISettings"}, + "github.com/openshift/api/machine/v1beta1.Machine", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_machine_v1beta1_UEFISettings(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_MachineSet(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "UEFISettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + Description: "MachineSet ensures that a specified number of machines replicas are running at any given time. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "secureBoot": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "secureBoot specifies whether secure boot should be enabled on the virtual machine. Secure Boot verifies the digital signature of all boot components and halts the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "virtualizedTrustedPlatformModule": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "virtualizedTrustedPlatformModule specifies whether vTPM should be enabled on the virtual machine. When enabled the virtualized trusted platform module measurements are used to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. This is required to be enabled if SecurityEncryptionType is defined. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.MachineSetSpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.MachineSetStatus"), + }, + }, }, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.MachineSetSpec", "github.com/openshift/api/machine/v1beta1.MachineSetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machine_v1beta1_UnhealthyCondition(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_MachineSetList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "UnhealthyCondition represents a Node condition type and value with a timeout specified as a duration. When the named condition has been in the given status for at least the timeout value, a node is considered unhealthy.", + Description: "MachineSetList contains a list of MachineSet Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "type": { + "kind": { SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", }, }, - "status": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, - "timeout": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "Expects an unsigned duration string of decimal numbers each with optional fraction and a unit suffix, eg \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"), + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.MachineSet"), + }, + }, + }, }, }, }, - Required: []string{"type", "status", "timeout"}, + Required: []string{"items"}, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Duration"}, + "github.com/openshift/api/machine/v1beta1.MachineSet", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_machine_v1beta1_VMDiskSecurityProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_MachineSetSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "VMDiskSecurityProfile specifies the security profile settings for the managed disk. It can be set only for Confidential VMs.", + Description: "MachineSetSpec defines the desired state of MachineSet", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "diskEncryptionSet": { + "replicas": { SchemaProps: spec.SchemaProps{ - Description: "diskEncryptionSet specifies the customer managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob.", + Description: "replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "minReadySeconds": { + SchemaProps: spec.SchemaProps{ + Description: "minReadySeconds is the minimum number of seconds for which a newly created machine should be ready. Defaults to 0 (machine will be considered available as soon as it is ready)", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "deletePolicy": { + SchemaProps: spec.SchemaProps{ + Description: "deletePolicy defines the policy used to identify nodes to delete when downscaling. Defaults to \"Random\". Valid values are \"Random, \"Newest\", \"Oldest\"", + Type: []string{"string"}, + Format: "", + }, + }, + "selector": { + SchemaProps: spec.SchemaProps{ + Description: "selector is a label query over machines that should match the replica count. Label keys and values that must match in order to be controlled by this MachineSet. It must match the machine template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"), + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"), }, }, - "securityEncryptionType": { + "template": { SchemaProps: spec.SchemaProps{ - Description: "securityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When set to VMGuestStateOnly, the vTPM should be enabled. When set to DiskWithVMGuestState, both SecureBoot and vTPM should be enabled. If the above conditions are not fulfilled, the VM will not be created and the respective error will be returned. It can be set only for Confidential VMs. Confidential VMs are defined by their SecurityProfile.SecurityType being set to ConfidentialVM, the SecurityEncryptionType of their OS disk being set to one of the allowed values and by enabling the respective SecurityProfile.UEFISettings of the VM (i.e. vTPM and SecureBoot), depending on the selected SecurityEncryptionType. For further details on Azure Confidential VMs, please refer to the respective documentation: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", + Description: "template is the object that describes the machine that will be created if insufficient replicas are detected.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.MachineTemplateSpec"), + }, + }, + "authoritativeAPI": { + SchemaProps: spec.SchemaProps{ + Description: "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI and ClusterAPI. When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. Currently the authoritative API determines which controller will manage the resource, this will change in a future release. To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`.", + Default: "MachineAPI", Type: []string{"string"}, Format: "", }, }, }, + Required: []string{"selector"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"}, + "github.com/openshift/api/machine/v1beta1.MachineTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"}, } } -func schema_openshift_api_machine_v1beta1_VSphereDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_MachineSetStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "VSphereDisk describes additional disks for vSphere.", + Description: "MachineSetStatus defines the observed state of MachineSet", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "replicas": { SchemaProps: spec.SchemaProps{ - Description: "name is used to identify the disk definition. name is required needs to be unique so that it can be used to clearly identify purpose of the disk. It must be at most 80 characters in length and must consist only of alphanumeric characters, hyphens and underscores, and must start and end with an alphanumeric character.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "replicas is the most recently observed number of replicas.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "sizeGiB": { + "fullyLabeledReplicas": { SchemaProps: spec.SchemaProps{ - Description: "sizeGiB is the size of the disk in GiB. The maximum supported size 16384 GiB.", - Default: 0, + Description: "The number of replicas that have labels matching the labels of the machine template of the MachineSet.", Type: []string{"integer"}, Format: "int32", }, }, - "provisioningMode": { + "readyReplicas": { SchemaProps: spec.SchemaProps{ - Description: "provisioningMode is an optional field that specifies the provisioning type to be used by this vSphere data disk. Allowed values are \"Thin\", \"Thick\", \"EagerlyZeroed\", and omitted. When set to Thin, the disk will be made using thin provisioning allocating the bare minimum space. When set to Thick, the full disk size will be allocated when disk is created. When set to EagerlyZeroed, the disk will be created using eager zero provisioning. An eager zeroed thick disk has all space allocated and wiped clean of any previous contents on the physical media at creation time. Such disks may take longer time during creation compared to other disk formats. When omitted, no setting will be applied to the data disk and the provisioning mode for the disk will be determined by the default storage policy configured for the datastore in vSphere.", + Description: "The number of ready replicas for this MachineSet. A machine is considered ready when the node has been created and is \"Ready\".", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "availableReplicas": { + SchemaProps: spec.SchemaProps{ + Description: "The number of available replicas (ready for at least minReadySeconds) for this MachineSet.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "observedGeneration": { + SchemaProps: spec.SchemaProps{ + Description: "observedGeneration reflects the generation of the most recently observed MachineSet.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "errorReason": { + SchemaProps: spec.SchemaProps{ + Description: "In the event that there is a terminal problem reconciling the replicas, both ErrorReason and ErrorMessage will be set. ErrorReason will be populated with a succinct value suitable for machine interpretation, while ErrorMessage will contain a more verbose string suitable for logging and human consumption.\n\nThese fields should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the MachineTemplate's spec or the configuration of the machine controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the machine controller, or the responsible machine controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines can be added as events to the MachineSet object and/or logged in the controller's output.", + Type: []string{"string"}, + Format: "", + }, + }, + "errorMessage": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditions defines the current state of the MachineSet", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.Condition"), + }, + }, + }, + }, + }, + "authoritativeAPI": { + SchemaProps: spec.SchemaProps{ + Description: "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.", Type: []string{"string"}, Format: "", }, }, + "synchronizedGeneration": { + SchemaProps: spec.SchemaProps{ + Description: "synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.", + Type: []string{"integer"}, + Format: "int64", + }, + }, }, - Required: []string{"name", "sizeGiB"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.Condition"}, } } -func schema_openshift_api_machine_v1beta1_VSphereMachineProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_MachineSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "VSphereMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field for an VSphere virtual machine. It is used by the vSphere machine actuator to create a single Machine. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "MachineSpec defines the desired state of Machine", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", + Description: "ObjectMeta will autopopulate the Node created. Use this to indicate what labels, annotations, name prefix, etc., should be used when creating the Node.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.ObjectMeta"), }, }, - "apiVersion": { + "lifecycleHooks": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", + Description: "lifecycleHooks allow users to pause operations on the machine at certain predefined points within the machine lifecycle.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.LifecycleHooks"), }, }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + "taints": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, }, - }, - "userDataSecret": { SchemaProps: spec.SchemaProps{ - Description: "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", - Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + Description: "The list of the taints to be applied to the corresponding Node in additive manner. This list will not overwrite any other taints added to the Node on an ongoing basis by other entities. These taints should be actively reconciled e.g. if you ask the machine controller to apply a taint and then manually remove the taint the machine controller will put it back) but not have the machine controller remove any taints", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.Taint"), + }, + }, + }, }, }, - "credentialsSecret": { + "providerSpec": { SchemaProps: spec.SchemaProps{ - Description: "credentialsSecret is a reference to the secret with vSphere credentials.", - Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), + Description: "providerSpec details Provider-specific configuration to use during node creation.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.ProviderSpec"), }, }, - "template": { + "providerID": { SchemaProps: spec.SchemaProps{ - Description: "template is the name, inventory path, or instance UUID of the template used to clone new machines.", - Default: "", + Description: "providerID is the identification ID of the machine provided by the provider. This field must match the provider ID as seen on the node object corresponding to this machine. This field is required by higher level consumers of cluster-api. Example use case is cluster autoscaler with cluster-api as provider. Clean-up logic in the autoscaler compares machines to nodes to find out machines at provider which could not get registered as Kubernetes nodes. With cluster-api as a generic out-of-tree provider for autoscaler, this field is required by autoscaler to be able to have a provider view of the list of machines. Another list of nodes is queried from the k8s apiserver and then a comparison is done to find out unregistered machines and are marked for delete. This field will be set by the actuators and consumed by higher level entities like autoscaler that will be interfacing with cluster-api as generic provider.", Type: []string{"string"}, Format: "", }, }, - "workspace": { + "authoritativeAPI": { SchemaProps: spec.SchemaProps{ - Description: "workspace describes the workspace to use for the machine.", - Ref: ref("github.com/openshift/api/machine/v1beta1.Workspace"), + Description: "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI and ClusterAPI. When set to MachineAPI, writes to the spec of the machine.openshift.io copy of this resource will be reflected into the cluster.x-k8s.io copy. When set to ClusterAPI, writes to the spec of the cluster.x-k8s.io copy of this resource will be reflected into the machine.openshift.io copy. Updates to the status will be reflected in both copies of the resource, based on the controller implementing the functionality of the API. Currently the authoritative API determines which controller will manage the resource, this will change in a future release. To ensure the change has been accepted, please verify that the `status.authoritativeAPI` field has been updated to the desired value and that the `Synchronized` condition is present and set to `True`.", + Default: "MachineAPI", + Type: []string{"string"}, + Format: "", }, }, - "network": { + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.LifecycleHooks", "github.com/openshift/api/machine/v1beta1.ObjectMeta", "github.com/openshift/api/machine/v1beta1.ProviderSpec", "k8s.io/api/core/v1.Taint"}, + } +} + +func schema_openshift_api_machine_v1beta1_MachineStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "MachineStatus defines the observed state of Machine", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "nodeRef": { SchemaProps: spec.SchemaProps{ - Description: "network is the network configuration for this machine's VM.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.NetworkSpec"), + Description: "nodeRef will point to the corresponding Node if it exists.", + Ref: ref("k8s.io/api/core/v1.ObjectReference"), }, }, - "numCPUs": { + "lastUpdated": { SchemaProps: spec.SchemaProps{ - Description: "numCPUs is the number of virtual processors in a virtual machine. Defaults to the analogue property value in the template from which this machine is cloned.", - Type: []string{"integer"}, - Format: "int32", + Description: "lastUpdated identifies when this status was last observed.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), }, }, - "numCoresPerSocket": { + "errorReason": { SchemaProps: spec.SchemaProps{ - Description: "NumCPUs is the number of cores among which to distribute CPUs in this virtual machine. Defaults to the analogue property value in the template from which this machine is cloned.", - Type: []string{"integer"}, - Format: "int32", + Description: "errorReason will be set in the event that there is a terminal problem reconciling the Machine and will contain a succinct value suitable for machine interpretation.\n\nThis field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the Machine's spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output.", + Type: []string{"string"}, + Format: "", }, }, - "memoryMiB": { + "errorMessage": { SchemaProps: spec.SchemaProps{ - Description: "memoryMiB is the size of a virtual machine's memory, in MiB. Defaults to the analogue property value in the template from which this machine is cloned.", - Type: []string{"integer"}, - Format: "int64", + Description: "errorMessage will be set in the event that there is a terminal problem reconciling the Machine and will contain a more verbose string suitable for logging and human consumption.\n\nThis field should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the Machine's spec or the configuration of the controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the controller, or the responsible controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines can be added as events to the Machine object and/or logged in the controller's output.", + Type: []string{"string"}, + Format: "", }, }, - "diskGiB": { + "providerStatus": { SchemaProps: spec.SchemaProps{ - Description: "diskGiB is the size of a virtual machine's disk, in GiB. Defaults to the analogue property value in the template from which this machine is cloned. This parameter will be ignored if 'LinkedClone' CloneMode is set.", - Type: []string{"integer"}, - Format: "int32", + Description: "providerStatus details a Provider-specific status. It is recommended that providers maintain their own versioned API types that should be serialized/deserialized from this field.", + Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), }, }, - "tagIDs": { + "addresses": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ - Description: "tagIDs is an optional set of tags to add to an instance. Specified tagIDs must use URN-notation instead of display names. A maximum of 10 tag IDs may be specified.", + Description: "addresses is a list of addresses assigned to the machine. Queried from cloud provider, if available.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/core/v1.NodeAddress"), }, }, }, }, }, - "snapshot": { + "lastOperation": { SchemaProps: spec.SchemaProps{ - Description: "snapshot is the name of the snapshot from which the VM was cloned", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "lastOperation describes the last-operation performed by the machine-controller. This API should be useful as a history in terms of the latest operation performed on the specific machine. It should also convey the state of the latest-operation for example if it is still on-going, failed or completed successfully.", + Ref: ref("github.com/openshift/api/machine/v1beta1.LastOperation"), }, }, - "cloneMode": { + "phase": { SchemaProps: spec.SchemaProps{ - Description: "cloneMode specifies the type of clone operation. The LinkedClone mode is only support for templates that have at least one snapshot. If the template has no snapshots, then CloneMode defaults to FullClone. When LinkedClone mode is enabled the DiskGiB field is ignored as it is not possible to expand disks of linked clones. Defaults to FullClone. When using LinkedClone, if no snapshots exist for the source template, falls back to FullClone.", + Description: "phase represents the current phase of machine actuation. One of: Failed, Provisioning, Provisioned, Running, Deleting", Type: []string{"string"}, Format: "", }, }, - "dataDisks": { + "conditions": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ "x-kubernetes-list-map-keys": []interface{}{ - "name", + "type", }, "x-kubernetes-list-type": "map", }, }, SchemaProps: spec.SchemaProps{ - Description: "dataDisks is a list of non OS disks to be created and attached to the VM. The max number of disk allowed to be attached is currently 29. The max number of disks for any controller is 30, but VM template will always have OS disk so that will leave 29 disks on any controller type.", + Description: "conditions defines the current state of the Machine", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.VSphereDisk"), + Ref: ref("github.com/openshift/api/machine/v1beta1.Condition"), }, }, }, }, }, + "authoritativeAPI": { + SchemaProps: spec.SchemaProps{ + Description: "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.", + Type: []string{"string"}, + Format: "", + }, + }, + "synchronizedGeneration": { + SchemaProps: spec.SchemaProps{ + Description: "synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.", + Type: []string{"integer"}, + Format: "int64", + }, + }, }, - Required: []string{"template", "network"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.NetworkSpec", "github.com/openshift/api/machine/v1beta1.VSphereDisk", "github.com/openshift/api/machine/v1beta1.Workspace", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/machine/v1beta1.Condition", "github.com/openshift/api/machine/v1beta1.LastOperation", "k8s.io/api/core/v1.NodeAddress", "k8s.io/api/core/v1.ObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Time", "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } -func schema_openshift_api_machine_v1beta1_VSphereMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_MachineTemplateSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "VSphereMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains VSphere-specific status information. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + Description: "MachineTemplateSpec describes the data needed to create a Machine from a template", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", + Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.ObjectMeta"), }, }, - "apiVersion": { + "spec": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "Specification of the desired behavior of the machine. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.MachineSpec"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.MachineSpec", "github.com/openshift/api/machine/v1beta1.ObjectMeta"}, + } +} + +func schema_openshift_api_machine_v1beta1_MetadataServiceOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "MetadataServiceOptions defines the options available to a user when configuring Instance Metadata Service (IMDS) Options.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "authentication": { + SchemaProps: spec.SchemaProps{ + Description: "authentication determines whether or not the host requires the use of authentication when interacting with the metadata service. When using authentication, this enforces v2 interaction method (IMDSv2) with the metadata service. When omitted, this means the user has no opinion and the value is left to the platform to choose a good default, which is subject to change over time. The current default is optional. At this point this field represents `HttpTokens` parameter from `InstanceMetadataOptionsRequest` structure in AWS EC2 API https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html", Type: []string{"string"}, Format: "", }, }, - "instanceId": { + }, + }, + }, + } +} + +func schema_openshift_api_machine_v1beta1_NetworkDeviceSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkDeviceSpec defines the network configuration for a virtual machine's network device.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "networkName": { SchemaProps: spec.SchemaProps{ - Description: "instanceId is the ID of the instance in VSphere", + Description: "networkName is the name of the vSphere network or port group to which the network device will be connected, for example, port-group-1. When not provided, the vCenter API will attempt to select a default network. The available networks (port groups) can be listed using `govc ls 'network/*'`", Type: []string{"string"}, Format: "", }, }, - "instanceState": { + "gateway": { SchemaProps: spec.SchemaProps{ - Description: "instanceState is the provisioning state of the VSphere Instance.", + Description: "gateway is an IPv4 or IPv6 address which represents the subnet gateway, for example, 192.168.1.1.", Type: []string{"string"}, Format: "", }, }, - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", + "ipAddrs": { + SchemaProps: spec.SchemaProps{ + Description: "ipAddrs is a list of one or more IPv4 and/or IPv6 addresses and CIDR to assign to this device, for example, 192.168.1.100/24. IP addresses provided via ipAddrs are intended to allow explicit assignment of a machine's IP address. IP pool configurations provided via addressesFromPool, however, defer IP address assignment to an external controller. If both addressesFromPool and ipAddrs are empty or not defined, DHCP will be used to assign an IP address. If both ipAddrs and addressesFromPools are defined, the IP addresses associated with ipAddrs will be applied first followed by IP addresses from addressesFromPools.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, }, - "x-kubernetes-list-type": "map", }, }, + }, + "nameservers": { SchemaProps: spec.SchemaProps{ - Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", + Description: "nameservers is a list of IPv4 and/or IPv6 addresses used as DNS nameservers, for example, 8.8.8.8. a nameserver is not provided by a fulfilled IPAddressClaim. If DHCP is not the source of IP addresses for this network device, nameservers should include a valid nameserver.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "addressesFromPools": { + SchemaProps: spec.SchemaProps{ + Description: "addressesFromPools is a list of references to IP pool types and instances which are handled by an external controller. addressesFromPool configurations provided via addressesFromPools defer IP address assignment to an external controller. IP addresses provided via ipAddrs, however, are intended to allow explicit assignment of a machine's IP address. If both addressesFromPool and ipAddrs are empty or not defined, DHCP will assign an IP address. If both ipAddrs and addressesFromPools are defined, the IP addresses associated with ipAddrs will be applied first followed by IP addresses from addressesFromPools.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + Ref: ref("github.com/openshift/api/machine/v1beta1.AddressesFromPool"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.AddressesFromPool"}, + } +} + +func schema_openshift_api_machine_v1beta1_NetworkSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkSpec defines the virtual machine's network configuration.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "devices": { + SchemaProps: spec.SchemaProps{ + Description: "devices defines the virtual machine's network interfaces.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.NetworkDeviceSpec"), }, }, }, }, }, - "taskRef": { - SchemaProps: spec.SchemaProps{ - Description: "taskRef is a managed object reference to a Task related to the machine. This value is set automatically at runtime and should not be set or modified by users.", - Type: []string{"string"}, - Format: "", - }, - }, }, + Required: []string{"devices"}, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + "github.com/openshift/api/machine/v1beta1.NetworkDeviceSpec"}, } } -func schema_openshift_api_machine_v1beta1_Workspace(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_OSDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "WorkspaceConfig defines a workspace configuration for the vSphere cloud provider.", - Type: []string{"object"}, + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "server": { - SchemaProps: spec.SchemaProps{ - Description: "server is the IP address or FQDN of the vSphere endpoint.", - Type: []string{"string"}, - Format: "", - }, - }, - "datacenter": { + "osType": { SchemaProps: spec.SchemaProps{ - Description: "datacenter is the datacenter in which VMs are created/located.", + Description: "osType is the operating system type of the OS disk. Possible values include \"Linux\" and \"Windows\".", + Default: "", Type: []string{"string"}, Format: "", }, }, - "folder": { + "managedDisk": { SchemaProps: spec.SchemaProps{ - Description: "folder is the folder in which VMs are created/located.", - Type: []string{"string"}, - Format: "", + Description: "managedDisk specifies the Managed Disk parameters for the OS disk.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.OSDiskManagedDiskParameters"), }, }, - "datastore": { + "diskSizeGB": { SchemaProps: spec.SchemaProps{ - Description: "datastore is the datastore in which VMs are created/located.", - Type: []string{"string"}, - Format: "", + Description: "diskSizeGB is the size in GB to assign to the data disk.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", }, }, - "resourcePool": { + "diskSettings": { SchemaProps: spec.SchemaProps{ - Description: "resourcePool is the resource pool in which VMs are created/located.", - Type: []string{"string"}, - Format: "", + Description: "diskSettings describe ephemeral disk settings for the os disk.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.DiskSettings"), }, }, - "vmGroup": { + "cachingType": { SchemaProps: spec.SchemaProps{ - Description: "vmGroup is the cluster vm group in which virtual machines will be added for vm host group based zonal.", + Description: "cachingType specifies the caching requirements. Possible values include: 'None', 'ReadOnly', 'ReadWrite'. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is `None`.", Type: []string{"string"}, Format: "", }, }, }, + Required: []string{"osType", "managedDisk", "diskSizeGB"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.DiskSettings", "github.com/openshift/api/machine/v1beta1.OSDiskManagedDiskParameters"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_BuildInputs(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_OSDiskManagedDiskParameters(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "BuildInputs holds all of the information needed to trigger a build", + Description: "OSDiskManagedDiskParameters is the parameters of a OSDisk managed disk.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "baseOSExtensionsImagePullspec": { + "storageAccountType": { SchemaProps: spec.SchemaProps{ - Description: "baseOSExtensionsImagePullspec is the base Extensions image used in the build process the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", + Description: "storageAccountType is the storage account type to use. Possible values include \"Standard_LRS\", \"Premium_LRS\".", + Default: "", Type: []string{"string"}, Format: "", }, }, - "baseOSImagePullspec": { + "diskEncryptionSet": { SchemaProps: spec.SchemaProps{ - Description: "baseOSImagePullspec is the base OSImage we use to build our custom image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", - Type: []string{"string"}, - Format: "", + Description: "diskEncryptionSet is the disk encryption set properties", + Ref: ref("github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"), }, }, - "baseImagePullSecret": { + "securityProfile": { SchemaProps: spec.SchemaProps{ - Description: "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace", + Description: "securityProfile specifies the security profile for the managed disk.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference"), + Ref: ref("github.com/openshift/api/machine/v1beta1.VMDiskSecurityProfile"), }, }, - "imageBuilder": { + }, + Required: []string{"storageAccountType"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters", "github.com/openshift/api/machine/v1beta1.VMDiskSecurityProfile"}, + } +} + +func schema_openshift_api_machine_v1beta1_ObjectMeta(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create. This is a copy of customizable fields from metav1.ObjectMeta.\n\nObjectMeta is embedded in `Machine.Spec`, `MachineDeployment.Template` and `MachineSet.Template`, which are not top-level Kubernetes objects. Given that metav1.ObjectMeta has lots of special cases and read-only fields which end up in the generated CRD validation, having it as a subset simplifies the API and some issues that can impact user experience.\n\nDuring the [upgrade to controller-tools@v2](https://github.com/kubernetes-sigs/cluster-api/pull/1054) for v1alpha2, we noticed a failure would occur running Cluster API test suite against the new CRDs, specifically `spec.metadata.creationTimestamp in body must be of type string: \"null\"`. The investigation showed that `controller-tools@v2` behaves differently than its previous version when handling types from [metav1](k8s.io/apimachinery/pkg/apis/meta/v1) package.\n\nIn more details, we found that embedded (non-top level) types that embedded `metav1.ObjectMeta` had validation properties, including for `creationTimestamp` (metav1.Time). The `metav1.Time` type specifies a custom json marshaller that, when IsZero() is true, returns `null` which breaks validation because the field isn't marked as nullable.\n\nIn future versions, controller-tools@v2 might allow overriding the type and validation for embedded types. When that happens, this hack should be revisited.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { SchemaProps: spec.SchemaProps{ - Description: "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig", - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSImageBuilder"), + Description: "name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names", + Type: []string{"string"}, + Format: "", }, }, - "renderedImagePushSecret": { + "generateName": { SchemaProps: spec.SchemaProps{ - Description: "renderedImagePushSecret is the secret used to connect to a user registry. the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them will only need to pull the image in order to use it.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference"), + Description: "generateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + Type: []string{"string"}, + Format: "", }, }, - "renderedImagePushspec": { + "namespace": { SchemaProps: spec.SchemaProps{ - Description: "renderedImagePushspec describes the location of the final image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", - Default: "", + Description: "namespace defines the space within each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces", Type: []string{"string"}, Format: "", }, }, - "releaseVersion": { + "labels": { SchemaProps: spec.SchemaProps{ - Description: "releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the dockerfile that builds the OS image.", - Type: []string{"string"}, - Format: "", + Description: "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "annotations": { + SchemaProps: spec.SchemaProps{ + Description: "annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, }, }, - "containerFile": { + "ownerReferences": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ "x-kubernetes-list-map-keys": []interface{}{ - "containerfileArch", + "uid", }, "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "containerfileArch", + "x-kubernetes-patch-merge-key": "uid", "x-kubernetes-patch-strategy": "merge", }, }, SchemaProps: spec.SchemaProps{ - Description: "containerFile describes the custom data the user has specified to build into the image. this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile.", + Description: "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSContainerfile"), + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"), }, }, }, }, }, }, - Required: []string{"baseImagePullSecret", "imageBuilder", "renderedImagePushSecret", "renderedImagePushspec"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSContainerfile", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSImageBuilder"}, + "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_BuildOutputs(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_Placement(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "BuildOutputs holds all information needed to handle booting the image after a build", + Description: "Placement indicates where to create the instance in AWS", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "currentImagePullSecret": { + "region": { SchemaProps: spec.SchemaProps{ - Description: "currentImagePullSecret is the secret used to pull the final produced image. must live in the openshift-machine-config-operator namespace the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference"), + Description: "region is the region to use to create the instance", + Type: []string{"string"}, + Format: "", }, }, - }, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "fields-to-discriminateBy": map[string]interface{}{ - "currentImagePullSecret": "CurrentImagePullSecret", - }, + "availabilityZone": { + SchemaProps: spec.SchemaProps{ + Description: "availabilityZone is the availability zone of the instance", + Type: []string{"string"}, + Format: "", }, }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.ImageSecretObjectReference"}, - } -} - -func schema_openshift_api_machineconfiguration_v1alpha1_ImageSecretObjectReference(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "Refers to the name of an image registry push/pull secret needed in the build process.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "name": { + "tenancy": { SchemaProps: spec.SchemaProps{ - Description: "name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace.", - Default: "", + Description: "tenancy indicates if instance should run on shared or single-tenant hardware. There are supported 3 options: default, dedicated and host.", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"name"}, }, }, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MCOObjectReference(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_ProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MCOObjectReference holds information about an object the MCO either owns or modifies in some way", + Description: "ProviderSpec defines the configuration to use during node creation.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "value": { SchemaProps: spec.SchemaProps{ - Description: "name is the name of the object being referenced. For example, this can represent a machine config pool or node name. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "value is an inlined, serialized representation of the resource configuration. It is recommended that providers maintain their own versioned API types that should be serialized/deserialized from this field, akin to component config.", + Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"), }, }, }, - Required: []string{"name"}, }, }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNode(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_ResourceManagerTag(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNode describes the health of the Machines on the system Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "ResourceManagerTag is a tag to apply to GCP resources created for the cluster.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "parentID": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "parentID is the ID of the hierarchical resource where the tags are defined e.g. at the Organization or the Project level. To find the Organization or Project ID ref https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects An OrganizationID can have a maximum of 32 characters and must consist of decimal numbers, and cannot have leading zeroes. A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, numbers, and hyphens, and must start with a letter, and cannot end with a hyphen.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "key": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot be empty. Tag key must begin and end with an alphanumeric character, and must contain only uppercase, lowercase alphanumeric characters, and the following special characters `._-`.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "metadata": { + "value": { SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object metadata.", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + Description: "value is the value part of the tag. A tag value can have a maximum of 63 characters and cannot be empty. Tag value must begin and end with an alphanumeric character, and must contain only uppercase, lowercase alphanumeric characters, and the following special characters `_-.@%=+:,*#&(){}[]` and spaces.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "spec": { + }, + Required: []string{"parentID", "key", "value"}, + }, + }, + } +} + +func schema_openshift_api_machine_v1beta1_SecurityProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SecurityProfile specifies the Security profile settings for a virtual machine or virtual machine scale set.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "encryptionAtHost": { SchemaProps: spec.SchemaProps{ - Description: "spec describes the configuration of the machine config node.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpec"), + Description: "encryptionAtHost indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState. Default is disabled.", + Type: []string{"boolean"}, + Format: "", }, }, - "status": { + "settings": { SchemaProps: spec.SchemaProps{ - Description: "status describes the last observed state of this machine config node.", + Description: "settings specify the security type and the UEFI settings of the virtual machine. This field can be set for Confidential VMs and Trusted Launch for VMs.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatus"), + Ref: ref("github.com/openshift/api/machine/v1beta1.SecuritySettings"), }, }, }, - Required: []string{"spec"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpec", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/machine/v1beta1.SecuritySettings"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_SecuritySettings(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNodeList describes all of the MachinesStates on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "SecuritySettings define the security type and the UEFI settings of the virtual machine.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "kind": { + "securityType": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "securityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UEFISettings. The default behavior is: UEFISettings will not be enabled unless this property is set.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "confidentialVM": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", + Description: "confidentialVM specifies the security configuration of the virtual machine. For more information regarding Confidential VMs, please refer to: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", + Ref: ref("github.com/openshift/api/machine/v1beta1.ConfidentialVM"), }, }, - "metadata": { + "trustedLaunch": { SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list metadata.", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + Description: "trustedLaunch specifies the security configuration of the virtual machine. For more information regarding TrustedLaunch for VMs, please refer to: https://learn.microsoft.com/azure/virtual-machines/trusted-launch", + Ref: ref("github.com/openshift/api/machine/v1beta1.TrustedLaunch"), }, }, - "items": { - SchemaProps: spec.SchemaProps{ - Description: "items contains a collection of MachineConfigNode resources.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNode"), - }, - }, + }, + Required: []string{"securityType"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "securityType", + "fields-to-discriminateBy": map[string]interface{}{ + "confidentialVM": "ConfidentialVM", + "trustedLaunch": "TrustedLaunch", }, }, }, @@ -40628,250 +41599,238 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeList(re }, }, Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNode", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + "github.com/openshift/api/machine/v1beta1.ConfidentialVM", "github.com/openshift/api/machine/v1beta1.TrustedLaunch"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_SpotMarketOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNodeSpec describes the MachineConfigNode we are managing.", + Description: "SpotMarketOptions defines the options available to a user when configuring Machines to run on Spot instances. Most users should provide an empty struct.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "node": { - SchemaProps: spec.SchemaProps{ - Description: "node contains a reference to the node for this machine config node.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference"), - }, - }, - "pool": { + "maxPrice": { SchemaProps: spec.SchemaProps{ - Description: "pool contains a reference to the machine config pool that this machine config node's referenced node belongs to.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference"), + Description: "The maximum price the user is willing to pay for their instances Default: On-Demand price", + Type: []string{"string"}, + Format: "", }, }, - "configVersion": { + }, + }, + }, + } +} + +func schema_openshift_api_machine_v1beta1_SpotVMOptions(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SpotVMOptions defines the options relevant to running the Machine on Spot VMs", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "maxPrice": { SchemaProps: spec.SchemaProps{ - Description: "configVersion holds the desired config version for the node targeted by this machine config node resource. The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates the new machine config against the current machine config.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpecMachineConfigVersion"), + Description: "maxPrice defines the maximum price the user is willing to pay for Spot VM instances", + Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"), }, }, }, - Required: []string{"node", "pool", "configVersion"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpecMachineConfigVersion"}, + "k8s.io/apimachinery/pkg/api/resource.Quantity"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeSpecMachineConfigVersion(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_TagSpecification(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNodeSpecMachineConfigVersion holds the desired config version for the current observed machine config node. When Current is not equal to Desired, the MachineConfigOperator is in an upgrade phase and the machine config node will take account of upgrade related events. Otherwise, they will be ignored given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", + Description: "TagSpecification is the name/value pair for a tag", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "desired": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "desired is the name of the machine config that the the node should be upgraded to. This value is set when the machine config pool generates a new version of its rendered configuration. When this value is changed, the machine config daemon starts the node upgrade process. This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", + Description: "name of the tag", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "value": { + SchemaProps: spec.SchemaProps{ + Description: "value of the tag", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"desired"}, + Required: []string{"name", "value"}, }, }, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_TrustedLaunch(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNodeStatus holds the reported information on a particular machine config node.", + Description: "TrustedLaunch defines the UEFI settings for the virtual machine.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "conditions represent the observations of a machine config node's current state.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), - }, - }, - }, - }, - }, - "observedGeneration": { - SchemaProps: spec.SchemaProps{ - Description: "observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec.", - Type: []string{"integer"}, - Format: "int64", - }, - }, - "configVersion": { + "uefiSettings": { SchemaProps: spec.SchemaProps{ - Description: "configVersion describes the current and desired machine config version for this node.", + Description: "uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusMachineConfigVersion"), - }, - }, - "pinnedImageSets": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - }, - "x-kubernetes-list-type": "map", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "pinnedImageSets describes the current and desired pinned image sets for this node.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusPinnedImageSet"), - }, - }, - }, + Ref: ref("github.com/openshift/api/machine/v1beta1.UEFISettings"), }, }, }, - Required: []string{"configVersion"}, + Required: []string{"uefiSettings"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusMachineConfigVersion", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusPinnedImageSet", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + "github.com/openshift/api/machine/v1beta1.UEFISettings"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatusMachineConfigVersion(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_UEFISettings(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNodeStatusMachineConfigVersion holds the current and desired config versions as last updated in the MCN status. When the current and desired versions do not match, the machine config pool is processing an upgrade and the machine config node will monitor the upgrade process. When the current and desired versions do match, the machine config node will ignore these events given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", + Description: "UEFISettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "current": { + "secureBoot": { SchemaProps: spec.SchemaProps{ - Description: "current is the name of the machine config currently in use on the node. This value is updated once the machine config daemon has completed the update of the configuration for the node. This value should match the desired version unless an upgrade is in progress. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - Default: "", + Description: "secureBoot specifies whether secure boot should be enabled on the virtual machine. Secure Boot verifies the digital signature of all boot components and halts the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", Type: []string{"string"}, Format: "", }, }, - "desired": { + "virtualizedTrustedPlatformModule": { SchemaProps: spec.SchemaProps{ - Description: "desired is the MachineConfig the node wants to upgrade to. This value gets set in the machine config node status once the machine config has been validated against the current machine config. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - Default: "", + Description: "virtualizedTrustedPlatformModule specifies whether vTPM should be enabled on the virtual machine. When enabled the virtualized trusted platform module measurements are used to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. This is required to be enabled if SecurityEncryptionType is defined. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"desired"}, }, }, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatusPinnedImageSet(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_UnhealthyCondition(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineConfigNodeStatusPinnedImageSet holds information about the current, desired, and failed pinned image sets for the observed machine config node.", + Description: "UnhealthyCondition represents a Node condition type and value with a timeout specified as a duration. When the named condition has been in the given status for at least the timeout value, a node is considered unhealthy.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "type": { SchemaProps: spec.SchemaProps{ - Description: "name is the name of the pinned image set. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - Default: "", - Type: []string{"string"}, - Format: "", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "currentGeneration": { + "status": { SchemaProps: spec.SchemaProps{ - Description: "currentGeneration is the generation of the pinned image set that has most recently been successfully pulled and pinned on this node.", - Type: []string{"integer"}, - Format: "int32", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "desiredGeneration": { + "timeout": { SchemaProps: spec.SchemaProps{ - Description: "desiredGeneration is the generation of the pinned image set that is targeted to be pulled and pinned on this node.", - Type: []string{"integer"}, - Format: "int32", + Description: "Expects an unsigned duration string of decimal numbers each with optional fraction and a unit suffix, eg \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"), }, }, - "lastFailedGeneration": { + }, + Required: []string{"type", "status", "timeout"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Duration"}, + } +} + +func schema_openshift_api_machine_v1beta1_VMDiskSecurityProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "VMDiskSecurityProfile specifies the security profile settings for the managed disk. It can be set only for Confidential VMs.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "diskEncryptionSet": { SchemaProps: spec.SchemaProps{ - Description: "lastFailedGeneration is the generation of the most recent pinned image set that failed to be pulled and pinned on this node.", - Type: []string{"integer"}, - Format: "int32", + Description: "diskEncryptionSet specifies the customer managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"), }, }, - "lastFailedGenerationError": { + "securityEncryptionType": { SchemaProps: spec.SchemaProps{ - Description: "lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. The error is an empty string if the image pull and pin is successful.", + Description: "securityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When set to VMGuestStateOnly, the vTPM should be enabled. When set to DiskWithVMGuestState, both SecureBoot and vTPM should be enabled. If the above conditions are not fulfilled, the VM will not be created and the respective error will be returned. It can be set only for Confidential VMs. Confidential VMs are defined by their SecurityProfile.SecurityType being set to ConfidentialVM, the SecurityEncryptionType of their OS disk being set to one of the allowed values and by enabling the respective SecurityProfile.UEFISettings of the VM (i.e. vTPM and SecureBoot), depending on the selected SecurityEncryptionType. For further details on Azure Confidential VMs, please refer to the respective documentation: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"name"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigPoolReference(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_VSphereDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Refers to the name of a MachineConfigPool (e.g., \"worker\", \"infra\", etc.): the MachineOSBuilder pod validates that the user has provided a valid pool", + Description: "VSphereDisk describes additional disks for vSphere.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "name": { SchemaProps: spec.SchemaProps{ - Description: "name of the MachineConfigPool object.", + Description: "name is used to identify the disk definition. name is required needs to be unique so that it can be used to clearly identify purpose of the disk. It must be at most 80 characters in length and must consist only of alphanumeric characters, hyphens and underscores, and must start and end with an alphanumeric character.", Default: "", Type: []string{"string"}, Format: "", }, }, + "sizeGiB": { + SchemaProps: spec.SchemaProps{ + Description: "sizeGiB is the size of the disk in GiB. The maximum supported size 16384 GiB.", + Default: 0, + Type: []string{"integer"}, + Format: "int32", + }, + }, + "provisioningMode": { + SchemaProps: spec.SchemaProps{ + Description: "provisioningMode is an optional field that specifies the provisioning type to be used by this vSphere data disk. Allowed values are \"Thin\", \"Thick\", \"EagerlyZeroed\", and omitted. When set to Thin, the disk will be made using thin provisioning allocating the bare minimum space. When set to Thick, the full disk size will be allocated when disk is created. When set to EagerlyZeroed, the disk will be created using eager zero provisioning. An eager zeroed thick disk has all space allocated and wiped clean of any previous contents on the physical media at creation time. Such disks may take longer time during creation compared to other disk formats. When omitted, no setting will be applied to the data disk and the provisioning mode for the disk will be determined by the default storage policy configured for the datastore in vSphere.", + Type: []string{"string"}, + Format: "", + }, + }, }, - Required: []string{"name"}, + Required: []string{"name", "sizeGiB"}, }, }, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuild(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_VSphereMachineProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineOSBuild describes a build process managed and deployed by the MCO Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "VSphereMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field for an VSphere virtual machine. It is used by the vSphere machine actuator to create a single Machine. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -40894,139 +41853,163 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuild(ref commo Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, - "spec": { + "userDataSecret": { SchemaProps: spec.SchemaProps{ - Description: "spec describes the configuration of the machine os build", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildSpec"), + Description: "userDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", + Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), }, }, - "status": { + "credentialsSecret": { SchemaProps: spec.SchemaProps{ - Description: "status describes the lst observed state of this machine os build", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildStatus"), + Description: "credentialsSecret is a reference to the secret with vSphere credentials.", + Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), }, }, - }, - Required: []string{"spec"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildSpec", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuildStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, - } -} - -func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildList(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "MachineOSBuildList describes all of the Builds on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { + "template": { SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Description: "template is the name, inventory path, or instance UUID of the template used to clone new machines.", + Default: "", Type: []string{"string"}, Format: "", }, }, - "apiVersion": { + "workspace": { SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Description: "workspace describes the workspace to use for the machine.", + Ref: ref("github.com/openshift/api/machine/v1beta1.Workspace"), + }, + }, + "network": { + SchemaProps: spec.SchemaProps{ + Description: "network is the network configuration for this machine's VM.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.NetworkSpec"), + }, + }, + "numCPUs": { + SchemaProps: spec.SchemaProps{ + Description: "numCPUs is the number of virtual processors in a virtual machine. Defaults to the analogue property value in the template from which this machine is cloned.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "numCoresPerSocket": { + SchemaProps: spec.SchemaProps{ + Description: "NumCPUs is the number of cores among which to distribute CPUs in this virtual machine. Defaults to the analogue property value in the template from which this machine is cloned.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "memoryMiB": { + SchemaProps: spec.SchemaProps{ + Description: "memoryMiB is the size of a virtual machine's memory, in MiB. Defaults to the analogue property value in the template from which this machine is cloned.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "diskGiB": { + SchemaProps: spec.SchemaProps{ + Description: "diskGiB is the size of a virtual machine's disk, in GiB. Defaults to the analogue property value in the template from which this machine is cloned. This parameter will be ignored if 'LinkedClone' CloneMode is set.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + "tagIDs": { + SchemaProps: spec.SchemaProps{ + Description: "tagIDs is an optional set of tags to add to an instance. Specified tagIDs must use URN-notation instead of display names. A maximum of 10 tag IDs may be specified.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "snapshot": { + SchemaProps: spec.SchemaProps{ + Description: "snapshot is the name of the snapshot from which the VM was cloned", + Default: "", Type: []string{"string"}, Format: "", }, }, - "metadata": { + "cloneMode": { SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + Description: "cloneMode specifies the type of clone operation. The LinkedClone mode is only support for templates that have at least one snapshot. If the template has no snapshots, then CloneMode defaults to FullClone. When LinkedClone mode is enabled the DiskGiB field is ignored as it is not possible to expand disks of linked clones. Defaults to FullClone. When using LinkedClone, if no snapshots exist for the source template, falls back to FullClone.", + Type: []string{"string"}, + Format: "", }, }, - "items": { + "dataDisks": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, + Description: "dataDisks is a list of non OS disks to be created and attached to the VM. The max number of disk allowed to be attached is currently 29. The max number of disks for any controller is 30, but VM template will always have OS disk so that will leave 29 disks on any controller type.", + Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuild"), + Ref: ref("github.com/openshift/api/machine/v1beta1.VSphereDisk"), }, }, }, }, }, }, - Required: []string{"metadata", "items"}, + Required: []string{"template", "network"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuild", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + "github.com/openshift/api/machine/v1beta1.NetworkSpec", "github.com/openshift/api/machine/v1beta1.VSphereDisk", "github.com/openshift/api/machine/v1beta1.Workspace", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machine_v1beta1_VSphereMachineProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object.", + Description: "VSphereMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. It contains VSphere-specific status information. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "configGeneration": { - SchemaProps: spec.SchemaProps{ - Description: "configGeneration tracks which version of MachineOSConfig this build is based off of", - Default: 0, - Type: []string{"integer"}, - Format: "int64", - }, - }, - "desiredConfig": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "desiredConfig is the desired config we want to build an image for.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.RenderedMachineConfigReference"), + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", }, }, - "machineOSConfig": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "machineOSConfig is the config object which the build is based off of", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigReference"), + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, - "version": { + "instanceId": { SchemaProps: spec.SchemaProps{ - Description: "version tracks the newest MachineOSBuild for each MachineOSConfig", - Default: 0, - Type: []string{"integer"}, - Format: "int64", + Description: "instanceId is the ID of the instance in VSphere", + Type: []string{"string"}, + Format: "", }, }, - "renderedImagePushspec": { + "instanceState": { SchemaProps: spec.SchemaProps{ - Description: "renderedImagePushspec is set from the MachineOSConfig The format of the image pullspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", - Default: "", + Description: "instanceState is the provisioning state of the VSphere Instance.", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"configGeneration", "desiredConfig", "machineOSConfig", "version", "renderedImagePushspec"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigReference", "github.com/openshift/api/machineconfiguration/v1alpha1.RenderedMachineConfigReference"}, - } -} - -func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "MachineOSBuildStatus describes the state of a build and other helpful information.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ "conditions": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ @@ -41037,7 +42020,7 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildStatus(ref }, }, SchemaProps: spec.SchemaProps{ - Description: "conditions are state related conditions for the build. Valid types are: Prepared, Building, Failed, Interrupted, and Succeeded once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO.", + Description: "conditions is a set of conditions associated with the Machine to indicate errors or other status", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -41049,101 +42032,103 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuildStatus(ref }, }, }, - "builderReference": { + "taskRef": { SchemaProps: spec.SchemaProps{ - Description: "ImageBuilderType describes the image builder set in the MachineOSConfig", - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuilderReference"), + Description: "taskRef is a managed object reference to a Task related to the machine. This value is set automatically at runtime and should not be set or modified by users.", + Type: []string{"string"}, + Format: "", }, }, - "relatedObjects": { + }, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + } +} + +func schema_openshift_api_machine_v1beta1_Workspace(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "WorkspaceConfig defines a workspace configuration for the vSphere cloud provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "server": { SchemaProps: spec.SchemaProps{ - Description: "relatedObjects is a list of objects that are related to the build process.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.ObjectReference"), - }, - }, - }, + Description: "server is the IP address or FQDN of the vSphere endpoint.", + Type: []string{"string"}, + Format: "", }, }, - "buildStart": { + "datacenter": { SchemaProps: spec.SchemaProps{ - Description: "buildStart describes when the build started.", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + Description: "datacenter is the datacenter in which VMs are created/located.", + Type: []string{"string"}, + Format: "", }, }, - "buildEnd": { + "folder": { SchemaProps: spec.SchemaProps{ - Description: "buildEnd describes when the build ended.", - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + Description: "folder is the folder in which VMs are created/located.", + Type: []string{"string"}, + Format: "", + }, + }, + "datastore": { + SchemaProps: spec.SchemaProps{ + Description: "datastore is the datastore in which VMs are created/located.", + Type: []string{"string"}, + Format: "", }, }, - "finalImagePullspec": { + "resourcePool": { SchemaProps: spec.SchemaProps{ - Description: "finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must be in sha format.", + Description: "resourcePool is the resource pool in which VMs are created/located.", + Type: []string{"string"}, + Format: "", + }, + }, + "vmGroup": { + SchemaProps: spec.SchemaProps{ + Description: "vmGroup is the cluster vm group in which virtual machines will be added for vm host group based zonal.", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"buildStart"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSBuilderReference", "github.com/openshift/api/machineconfiguration/v1alpha1.ObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSBuilderReference(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MCOObjectReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineOSBuilderReference describes which ImageBuilder backend to use for this build/", + Description: "MCOObjectReference holds information about an object the MCO either owns or modifies in some way", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "imageBuilderType": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "imageBuilderType describes the image builder set in the MachineOSConfig", + Description: "name is the name of the object being referenced. For example, this can represent a machine config pool or node name. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", Default: "", Type: []string{"string"}, Format: "", }, }, - "buildPod": { - SchemaProps: spec.SchemaProps{ - Description: "relatedObjects is a list of objects that are related to the build process.", - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.ObjectReference"), - }, - }, - }, - Required: []string{"imageBuilderType"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "imageBuilderType", - "fields-to-discriminateBy": map[string]interface{}{ - "buildPod": "PodImageBuilder", - }, - }, - }, }, + Required: []string{"name"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.ObjectReference"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNode(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineOSConfig describes the configuration for a build process managed by the MCO Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "MachineConfigNode describes the health of the Machines on the system Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -41162,22 +42147,23 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfig(ref comm }, "metadata": { SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + Description: "metadata is the standard object metadata.", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, "spec": { SchemaProps: spec.SchemaProps{ - Description: "spec describes the configuration of the machineosconfig", + Description: "spec describes the configuration of the machine config node.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigSpec"), + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpec"), }, }, "status": { SchemaProps: spec.SchemaProps{ - Description: "status describes the status of the machineosconfig", + Description: "status describes the last observed state of this machine config node.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigStatus"), + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatus"), }, }, }, @@ -41185,15 +42171,15 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfig(ref comm }, }, Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigSpec", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpec", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineOSConfigList describes all configurations for image builds on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Description: "MachineConfigNodeList describes all of the MachinesStates on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -41212,96 +42198,97 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigList(ref }, "metadata": { SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + Description: "metadata is the standard list metadata.", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), }, }, "items": { SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, + Description: "items contains a collection of MachineConfigNode resources.", + Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfig"), + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNode"), }, }, }, }, }, }, - Required: []string{"items"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.MachineOSConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNode", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigReference(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineOSConfigReference refers to the MachineOSConfig this build is based off of", + Description: "MachineConfigNodeSpec describes the MachineConfigNode we are managing.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "node": { SchemaProps: spec.SchemaProps{ - Description: "name of the MachineOSConfig", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "node contains a reference to the node for this machine config node.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference"), + }, + }, + "pool": { + SchemaProps: spec.SchemaProps{ + Description: "pool contains a reference to the machine config pool that this machine config node's referenced node belongs to.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference"), + }, + }, + "configVersion": { + SchemaProps: spec.SchemaProps{ + Description: "configVersion holds the desired config version for the node targeted by this machine config node resource. The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates the new machine config against the current machine config.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpecMachineConfigVersion"), }, }, }, - Required: []string{"name"}, + Required: []string{"node", "pool", "configVersion"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/machineconfiguration/v1alpha1.MCOObjectReference", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeSpecMachineConfigVersion"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeSpecMachineConfigVersion(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineOSConfigSpec describes user-configurable options as well as information about a build process.", + Description: "MachineConfigNodeSpecMachineConfigVersion holds the desired config version for the current observed machine config node. When Current is not equal to Desired, the MachineConfigOperator is in an upgrade phase and the machine config node will take account of upgrade related events. Otherwise, they will be ignored given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "machineConfigPool": { - SchemaProps: spec.SchemaProps{ - Description: "machineConfigPool is the pool which the build is for", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigPoolReference"), - }, - }, - "buildInputs": { - SchemaProps: spec.SchemaProps{ - Description: "buildInputs is where user input options for the build live", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.BuildInputs"), - }, - }, - "buildOutputs": { + "desired": { SchemaProps: spec.SchemaProps{ - Description: "buildOutputs is where user input options for the build live", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.BuildOutputs"), + Description: "desired is the name of the machine config that the the node should be upgraded to. This value is set when the machine config pool generates a new version of its rendered configuration. When this value is changed, the machine config daemon starts the node upgrade process. This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"machineConfigPool", "buildInputs"}, + Required: []string{"desired"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/machineconfiguration/v1alpha1.BuildInputs", "github.com/openshift/api/machineconfiguration/v1alpha1.BuildOutputs", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigPoolReference"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig", + Description: "MachineConfigNodeStatus holds the reported information on a particular machine config node.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "conditions": { @@ -41314,7 +42301,7 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigStatus(re }, }, SchemaProps: spec.SchemaProps{ - Description: "conditions are state related conditions for the config.", + Description: "conditions represent the observations of a machine config node's current state.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -41328,118 +42315,124 @@ func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSConfigStatus(re }, "observedGeneration": { SchemaProps: spec.SchemaProps{ - Description: "observedGeneration represents the generation observed by the controller. this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with.", + Description: "observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec.", Type: []string{"integer"}, Format: "int64", }, }, - "currentImagePullspec": { + "configVersion": { SchemaProps: spec.SchemaProps{ - Description: "currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256.", - Type: []string{"string"}, - Format: "", + Description: "configVersion describes the current and desired machine config version for this node.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusMachineConfigVersion"), + }, + }, + "pinnedImageSets": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "pinnedImageSets describes the current and desired pinned image sets for this node.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusPinnedImageSet"), + }, + }, + }, }, }, }, - Required: []string{"observedGeneration"}, + Required: []string{"configVersion"}, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusMachineConfigVersion", "github.com/openshift/api/machineconfiguration/v1alpha1.MachineConfigNodeStatusPinnedImageSet", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSContainerfile(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatusMachineConfigVersion(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "MachineOSContainerfile contains all custom content the user wants built into the image", + Description: "MachineConfigNodeStatusMachineConfigVersion holds the current and desired config versions as last updated in the MCN status. When the current and desired versions do not match, the machine config pool is processing an upgrade and the machine config node will monitor the upgrade process. When the current and desired versions do match, the machine config node will ignore these events given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "containerfileArch": { + "current": { SchemaProps: spec.SchemaProps{ - Description: "containerfileArch describes the architecture this containerfile is to be built for this arch is optional. If the user does not specify an architecture, it is assumed that the content can be applied to all architectures, or in a single arch cluster: the only architecture.", + Description: "current is the name of the machine config currently in use on the node. This value is updated once the machine config daemon has completed the update of the configuration for the node. This value should match the desired version unless an upgrade is in progress. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", Default: "", Type: []string{"string"}, Format: "", }, }, - "content": { + "desired": { SchemaProps: spec.SchemaProps{ - Description: "content is the custom content to be built", + Description: "desired is the MachineConfig the node wants to upgrade to. This value gets set in the machine config node status once the machine config has been validated against the current machine config. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"content"}, + Required: []string{"desired"}, }, }, } } -func schema_openshift_api_machineconfiguration_v1alpha1_MachineOSImageBuilder(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_machineconfiguration_v1alpha1_MachineConfigNodeStatusPinnedImageSet(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "MachineConfigNodeStatusPinnedImageSet holds information about the current, desired, and failed pinned image sets for the observed machine config node.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "imageBuilderType": { + "name": { SchemaProps: spec.SchemaProps{ - Description: "imageBuilderType specifies the backend to be used to build the image. Valid options are: PodImageBuilder", + Description: "name is the name of the pinned image set. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", Default: "", Type: []string{"string"}, Format: "", }, }, - }, - Required: []string{"imageBuilderType"}, - }, - }, - } -} - -func schema_openshift_api_machineconfiguration_v1alpha1_ObjectReference(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ObjectReference contains enough information to let you inspect or modify the referred object.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "group": { + "currentGeneration": { SchemaProps: spec.SchemaProps{ - Description: "group of the referent.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "currentGeneration is the generation of the pinned image set that has most recently been successfully pulled and pinned on this node.", + Type: []string{"integer"}, + Format: "int32", }, }, - "resource": { + "desiredGeneration": { SchemaProps: spec.SchemaProps{ - Description: "resource of the referent.", - Default: "", - Type: []string{"string"}, - Format: "", + Description: "desiredGeneration is the generation of the pinned image set that is targeted to be pulled and pinned on this node.", + Type: []string{"integer"}, + Format: "int32", }, }, - "namespace": { + "lastFailedGeneration": { SchemaProps: spec.SchemaProps{ - Description: "namespace of the referent.", - Type: []string{"string"}, - Format: "", + Description: "lastFailedGeneration is the generation of the most recent pinned image set that failed to be pulled and pinned on this node.", + Type: []string{"integer"}, + Format: "int32", }, }, - "name": { + "lastFailedGenerationError": { SchemaProps: spec.SchemaProps{ - Description: "name of the referent.", - Default: "", + Description: "lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. The error is an empty string if the image pull and pin is successful.", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"group", "resource", "name"}, + Required: []string{"name"}, }, }, } @@ -41641,28 +42634,6 @@ func schema_openshift_api_machineconfiguration_v1alpha1_PinnedImageSetStatus(ref } } -func schema_openshift_api_machineconfiguration_v1alpha1_RenderedMachineConfigReference(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "Refers to the name of a rendered MachineConfig (e.g., \"rendered-worker-ec40d2965ff81bce7cd7a7e82a680739\", etc.): the build targets this MachineConfig, this is often used to tell us whether we need an update.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "name": { - SchemaProps: spec.SchemaProps{ - Description: "name is the name of the rendered MachineConfig object.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"name"}, - }, - }, - } -} - func schema_openshift_api_monitoring_v1_AlertRelabelConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -45050,12 +46021,6 @@ func schema_openshift_api_openshiftcontrolplane_v1_OpenShiftControllerManagerCon Format: "", }, }, - "kubeClientConfig": { - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.KubeClientConfig"), - }, - }, "servingInfo": { SchemaProps: spec.SchemaProps{ Description: "servingInfo describes how to start serving", @@ -45160,11 +46125,11 @@ func schema_openshift_api_openshiftcontrolplane_v1_OpenShiftControllerManagerCon }, }, }, - Required: []string{"kubeClientConfig", "servingInfo", "leaderElection", "controllers", "resourceQuota", "serviceServingCert", "deployer", "build", "serviceAccount", "dockerPullSecret", "network", "ingress", "imageImport", "securityAllocator", "featureGates"}, + Required: []string{"servingInfo", "leaderElection", "controllers", "resourceQuota", "serviceServingCert", "deployer", "build", "serviceAccount", "dockerPullSecret", "network", "ingress", "imageImport", "securityAllocator", "featureGates"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.HTTPServingInfo", "github.com/openshift/api/config/v1.KubeClientConfig", "github.com/openshift/api/config/v1.LeaderElection", "github.com/openshift/api/openshiftcontrolplane/v1.BuildControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.DeployerControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.DockerPullSecretControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.ImageImportControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.IngressControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.NetworkControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.ResourceQuotaControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.SecurityAllocator", "github.com/openshift/api/openshiftcontrolplane/v1.ServiceAccountControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.ServiceServingCert"}, + "github.com/openshift/api/config/v1.HTTPServingInfo", "github.com/openshift/api/config/v1.LeaderElection", "github.com/openshift/api/openshiftcontrolplane/v1.BuildControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.DeployerControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.DockerPullSecretControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.ImageImportControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.IngressControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.NetworkControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.ResourceQuotaControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.SecurityAllocator", "github.com/openshift/api/openshiftcontrolplane/v1.ServiceAccountControllerConfig", "github.com/openshift/api/openshiftcontrolplane/v1.ServiceServingCert"}, } } @@ -46129,7 +47094,6 @@ func schema_openshift_api_operator_v1_AuthenticationStatus(ref common.ReferenceC }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -46501,7 +47465,6 @@ func schema_openshift_api_operator_v1_CSISnapshotControllerStatus(ref common.Ref }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -46863,7 +47826,6 @@ func schema_openshift_api_operator_v1_CloudCredentialStatus(ref common.Reference }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -47120,7 +48082,6 @@ func schema_openshift_api_operator_v1_ClusterCSIDriverStatus(ref common.Referenc }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -47419,7 +48380,6 @@ func schema_openshift_api_operator_v1_ConfigStatus(ref common.ReferenceCallback) }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -47892,7 +48852,6 @@ func schema_openshift_api_operator_v1_ConsoleStatus(ref common.ReferenceCallback }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -48931,7 +49890,6 @@ func schema_openshift_api_operator_v1_EtcdStatus(ref common.ReferenceCallback) c }, }, }, - Required: []string{"readyReplicas", "controlPlaneHardwareSpeed"}, }, }, Dependencies: []string{ @@ -49707,7 +50665,7 @@ func schema_openshift_api_operator_v1_IPv4GatewayConfig(ref common.ReferenceCall Properties: map[string]spec.Schema{ "internalMasqueradeSubnet": { SchemaProps: spec.SchemaProps{ - Description: "internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /29). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 169.254.169.0/29 The value must be in proper IPV4 CIDR format", + Description: "internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /29). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 169.254.0.0/17 The value must be in proper IPV4 CIDR format", Type: []string{"string"}, Format: "", }, @@ -49726,14 +50684,14 @@ func schema_openshift_api_operator_v1_IPv4OVNKubernetesConfig(ref common.Referen Properties: map[string]spec.Schema{ "internalTransitSwitchSubnet": { SchemaProps: spec.SchemaProps{ - Description: "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. The value cannot be changed after installation. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 100.88.0.0/16 The subnet must be large enough to accomadate one IP per node in your cluster The value must be in proper IPV4 CIDR format", + Description: "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 100.88.0.0/16 The subnet must be large enough to accommodate one IP per node in your cluster The value must be in proper IPV4 CIDR format", Type: []string{"string"}, Format: "", }, }, "internalJoinSubnet": { SchemaProps: spec.SchemaProps{ - Description: "internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. The current default value is 100.64.0.0/16 The subnet must be large enough to accomadate one IP per node in your cluster The value must be in proper IPV4 CIDR format", + Description: "internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The current default value is 100.64.0.0/16 The subnet must be large enough to accommodate one IP per node in your cluster The value must be in proper IPV4 CIDR format", Type: []string{"string"}, Format: "", }, @@ -49753,7 +50711,7 @@ func schema_openshift_api_operator_v1_IPv6GatewayConfig(ref common.ReferenceCall Properties: map[string]spec.Schema{ "internalMasqueradeSubnet": { SchemaProps: spec.SchemaProps{ - Description: "internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /125). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is fd69::/125 Note that IPV6 dual addresses are not permitted", + Description: "internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /125). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is fd69::/112 Note that IPV6 dual addresses are not permitted", Type: []string{"string"}, Format: "", }, @@ -49772,14 +50730,14 @@ func schema_openshift_api_operator_v1_IPv6OVNKubernetesConfig(ref common.Referen Properties: map[string]spec.Schema{ "internalTransitSwitchSubnet": { SchemaProps: spec.SchemaProps{ - Description: "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. The value cannot be changed after installation. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The subnet must be large enough to accomadate one IP per node in your cluster The current default subnet is fd97::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", + Description: "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The subnet must be large enough to accommodate one IP per node in your cluster The current default subnet is fd97::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", Type: []string{"string"}, Format: "", }, }, "internalJoinSubnet": { SchemaProps: spec.SchemaProps{ - Description: "internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. The subnet must be large enough to accomadate one IP per node in your cluster The current default value is fd98::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", + Description: "internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The subnet must be large enough to accommodate one IP per node in your cluster The current default value is fd98::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", Type: []string{"string"}, Format: "", }, @@ -49879,6 +50837,7 @@ func schema_openshift_api_operator_v1_IngressControllerCaptureHTTPCookie(ref com "matchType": { SchemaProps: spec.SchemaProps{ Description: "matchType specifies the type of match to be performed on the cookie name. Allowed values are \"Exact\" for an exact string match and \"Prefix\" for a string prefix match. If \"Exact\" is specified, a name must be specified in the name field. If \"Prefix\" is provided, a prefix must be specified in the namePrefix field. For example, specifying matchType \"Prefix\" and namePrefix \"foo\" will capture a cookie named \"foo\" or \"foobar\" but not one named \"bar\". The first matching cookie is captured.", + Default: "", Type: []string{"string"}, Format: "", }, @@ -49937,6 +50896,7 @@ func schema_openshift_api_operator_v1_IngressControllerCaptureHTTPCookieUnion(re "matchType": { SchemaProps: spec.SchemaProps{ Description: "matchType specifies the type of match to be performed on the cookie name. Allowed values are \"Exact\" for an exact string match and \"Prefix\" for a string prefix match. If \"Exact\" is specified, a name must be specified in the name field. If \"Prefix\" is provided, a prefix must be specified in the namePrefix field. For example, specifying matchType \"Prefix\" and namePrefix \"foo\" will capture a cookie named \"foo\" or \"foobar\" but not one named \"bar\". The first matching cookie is captured.", + Default: "", Type: []string{"string"}, Format: "", }, @@ -50585,7 +51545,6 @@ func schema_openshift_api_operator_v1_IngressControllerStatus(ref common.Referen }, }, }, - Required: []string{"availableReplicas", "selector", "domain"}, }, }, Dependencies: []string{ @@ -50937,7 +51896,6 @@ func schema_openshift_api_operator_v1_InsightsOperatorStatus(ref common.Referenc }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -50985,6 +51943,39 @@ func schema_openshift_api_operator_v1_InsightsReport(ref common.ReferenceCallbac } } +func schema_openshift_api_operator_v1_IrreconcilableValidationOverrides(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "IrreconcilableValidationOverrides holds the irreconcilable validations overrides to be applied on each rendered MachineConfig generation.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "storage": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "storage can be used to allow making irreconcilable changes to the selected sections under the `spec.config.storage` field of MachineConfig CRs It must have at least one item, may not exceed 3 items and must not contain duplicates. Allowed element values are \"Disks\", \"FileSystems\", \"Raid\" and omitted. When contains \"Disks\" changes to the `spec.config.storage.disks` section of MachineConfig CRs are allowed. When contains \"FileSystems\" changes to the `spec.config.storage.filesystems` section of MachineConfig CRs are allowed. When contains \"Raid\" changes to the `spec.config.storage.raid` section of MachineConfig CRs are allowed. When omitted changes to the `spec.config.storage` section are forbidden.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, + }, + }, + } +} + func schema_openshift_api_operator_v1_KubeAPIServer(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -51284,7 +52275,6 @@ func schema_openshift_api_operator_v1_KubeAPIServerStatus(ref common.ReferenceCa }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -51585,7 +52575,6 @@ func schema_openshift_api_operator_v1_KubeControllerManagerStatus(ref common.Ref }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -51878,7 +52867,6 @@ func schema_openshift_api_operator_v1_KubeSchedulerStatus(ref common.ReferenceCa }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -52118,7 +53106,6 @@ func schema_openshift_api_operator_v1_KubeStorageVersionMigratorStatus(ref commo }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -52513,12 +53500,19 @@ func schema_openshift_api_operator_v1_MachineConfigurationSpec(ref common.Refere Ref: ref("github.com/openshift/api/operator/v1.NodeDisruptionPolicyConfig"), }, }, + "irreconcilableValidationOverrides": { + SchemaProps: spec.SchemaProps{ + Description: "irreconcilableValidationOverrides is an optional field that can used to make changes to a MachineConfig that cannot be applied to existing nodes. When specified, the fields configured with validation overrides will no longer reject changes to those respective fields due to them not being able to be applied to existing nodes. Only newly provisioned nodes will have these configurations applied. Existing nodes will report observed configuration differences in their MachineConfigNode status.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/operator/v1.IrreconcilableValidationOverrides"), + }, + }, }, Required: []string{"managementState", "forceRedeploymentReason"}, }, }, Dependencies: []string{ - "github.com/openshift/api/operator/v1.ManagedBootImages", "github.com/openshift/api/operator/v1.NodeDisruptionPolicyConfig", "k8s.io/apimachinery/pkg/runtime.RawExtension"}, + "github.com/openshift/api/operator/v1.IrreconcilableValidationOverrides", "github.com/openshift/api/operator/v1.ManagedBootImages", "github.com/openshift/api/operator/v1.NodeDisruptionPolicyConfig", "k8s.io/apimachinery/pkg/runtime.RawExtension"}, } } @@ -52877,7 +53871,6 @@ func schema_openshift_api_operator_v1_MyOperatorResourceStatus(ref common.Refere }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -53311,7 +54304,6 @@ func schema_openshift_api_operator_v1_NetworkStatus(ref common.ReferenceCallback }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -54215,7 +55207,6 @@ func schema_openshift_api_operator_v1_OLMStatus(ref common.ReferenceCallback) co }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -54271,14 +55262,14 @@ func schema_openshift_api_operator_v1_OVNKubernetesConfig(ref common.ReferenceCa }, "v4InternalSubnet": { SchemaProps: spec.SchemaProps{ - Description: "v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. Default is 100.64.0.0/16", + Description: "v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. Default is 100.64.0.0/16", Type: []string{"string"}, Format: "", }, }, "v6InternalSubnet": { SchemaProps: spec.SchemaProps{ - Description: "v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. Default is fd98::/64", + Description: "v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. Default is fd98::/64", Type: []string{"string"}, Format: "", }, @@ -54551,7 +55542,6 @@ func schema_openshift_api_operator_v1_OpenShiftAPIServerStatus(ref common.Refere }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -54791,7 +55781,6 @@ func schema_openshift_api_operator_v1_OpenShiftControllerManagerStatus(ref commo }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -55052,7 +56041,6 @@ func schema_openshift_api_operator_v1_OperatorStatus(ref common.ReferenceCallbac }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -55898,7 +56886,6 @@ func schema_openshift_api_operator_v1_ServiceCAStatus(ref common.ReferenceCallba }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -56138,7 +57125,6 @@ func schema_openshift_api_operator_v1_ServiceCatalogAPIServerStatus(ref common.R }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -56378,7 +57364,6 @@ func schema_openshift_api_operator_v1_ServiceCatalogControllerManagerStatus(ref }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -56789,7 +57774,6 @@ func schema_openshift_api_operator_v1_StaticPodOperatorStatus(ref common.Referen }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -57062,7 +58046,6 @@ func schema_openshift_api_operator_v1_StorageStatus(ref common.ReferenceCallback }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -58226,7 +59209,6 @@ func schema_openshift_api_operator_v1alpha1_OLMStatus(ref common.ReferenceCallba }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -60652,216 +61634,6 @@ func schema_openshift_api_osin_v1_TokenConfig(ref common.ReferenceCallback) comm } } -func schema_openshift_api_platform_v1alpha1_ActiveBundleDeployment(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ActiveBundleDeployment references a BundleDeployment resource.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "name": { - SchemaProps: spec.SchemaProps{ - Description: "name is the metadata.name of the referenced BundleDeployment object.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"name"}, - }, - }, - } -} - -func schema_openshift_api_platform_v1alpha1_Package(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "Package contains fields to configure which OLM package this PlatformOperator will install", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "name": { - SchemaProps: spec.SchemaProps{ - Description: "name contains the desired OLM-based Operator package name that is defined in an existing CatalogSource resource in the cluster.\n\nThis configured package will be managed with the cluster's lifecycle. In the current implementation, it will be retrieving this name from a list of supported operators out of the catalogs included with OpenShift.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"name"}, - }, - }, - } -} - -func schema_openshift_api_platform_v1alpha1_PlatformOperator(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PlatformOperator is the Schema for the PlatformOperators API.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), - }, - }, - "spec": { - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/platform/v1alpha1.PlatformOperatorSpec"), - }, - }, - "status": { - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/platform/v1alpha1.PlatformOperatorStatus"), - }, - }, - }, - Required: []string{"spec"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/platform/v1alpha1.PlatformOperatorSpec", "github.com/openshift/api/platform/v1alpha1.PlatformOperatorStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, - } -} - -func schema_openshift_api_platform_v1alpha1_PlatformOperatorList(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PlatformOperatorList contains a list of PlatformOperators\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), - }, - }, - "items": { - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/platform/v1alpha1.PlatformOperator"), - }, - }, - }, - }, - }, - }, - Required: []string{"items"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/platform/v1alpha1.PlatformOperator", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, - } -} - -func schema_openshift_api_platform_v1alpha1_PlatformOperatorSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PlatformOperatorSpec defines the desired state of PlatformOperator.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "package": { - SchemaProps: spec.SchemaProps{ - Description: "package contains the desired package and its configuration for this PlatformOperator.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/platform/v1alpha1.Package"), - }, - }, - }, - Required: []string{"package"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/platform/v1alpha1.Package"}, - } -} - -func schema_openshift_api_platform_v1alpha1_PlatformOperatorStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PlatformOperatorStatus defines the observed state of PlatformOperator", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "conditions represent the latest available observations of a platform operator's current state.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), - }, - }, - }, - }, - }, - "activeBundleDeployment": { - SchemaProps: spec.SchemaProps{ - Description: "activeBundleDeployment is the reference to the BundleDeployment resource that's being managed by this PO resource. If this field is not populated in the status then it means the PlatformOperator has either not been installed yet or is failing to install.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/platform/v1alpha1.ActiveBundleDeployment"), - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/platform/v1alpha1.ActiveBundleDeployment", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, - } -} - func schema_openshift_api_project_v1_Project(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -62710,7 +63482,6 @@ func schema_openshift_api_security_v1_PodSecurityPolicyReviewStatus(ref common.R }, }, }, - Required: []string{"allowedServiceAccounts"}, }, }, Dependencies: []string{ @@ -63915,7 +64686,6 @@ func schema_openshift_api_servicecertsigner_v1alpha1_ServiceCertSignerOperatorCo }, }, }, - Required: []string{"readyReplicas"}, }, }, Dependencies: []string{ @@ -68266,6 +69036,14 @@ func schema_k8sio_api_core_v1_ContainerStatus(ref common.ReferenceCallback) comm }, }, }, + "stopSignal": { + SchemaProps: spec.SchemaProps{ + Description: "StopSignal reports the effective stop signal for this container\n\nPossible enum values:\n - `\"SIGABRT\"`\n - `\"SIGALRM\"`\n - `\"SIGBUS\"`\n - `\"SIGCHLD\"`\n - `\"SIGCLD\"`\n - `\"SIGCONT\"`\n - `\"SIGFPE\"`\n - `\"SIGHUP\"`\n - `\"SIGILL\"`\n - `\"SIGINT\"`\n - `\"SIGIO\"`\n - `\"SIGIOT\"`\n - `\"SIGKILL\"`\n - `\"SIGPIPE\"`\n - `\"SIGPOLL\"`\n - `\"SIGPROF\"`\n - `\"SIGPWR\"`\n - `\"SIGQUIT\"`\n - `\"SIGRTMAX\"`\n - `\"SIGRTMAX-1\"`\n - `\"SIGRTMAX-10\"`\n - `\"SIGRTMAX-11\"`\n - `\"SIGRTMAX-12\"`\n - `\"SIGRTMAX-13\"`\n - `\"SIGRTMAX-14\"`\n - `\"SIGRTMAX-2\"`\n - `\"SIGRTMAX-3\"`\n - `\"SIGRTMAX-4\"`\n - `\"SIGRTMAX-5\"`\n - `\"SIGRTMAX-6\"`\n - `\"SIGRTMAX-7\"`\n - `\"SIGRTMAX-8\"`\n - `\"SIGRTMAX-9\"`\n - `\"SIGRTMIN\"`\n - `\"SIGRTMIN+1\"`\n - `\"SIGRTMIN+10\"`\n - `\"SIGRTMIN+11\"`\n - `\"SIGRTMIN+12\"`\n - `\"SIGRTMIN+13\"`\n - `\"SIGRTMIN+14\"`\n - `\"SIGRTMIN+15\"`\n - `\"SIGRTMIN+2\"`\n - `\"SIGRTMIN+3\"`\n - `\"SIGRTMIN+4\"`\n - `\"SIGRTMIN+5\"`\n - `\"SIGRTMIN+6\"`\n - `\"SIGRTMIN+7\"`\n - `\"SIGRTMIN+8\"`\n - `\"SIGRTMIN+9\"`\n - `\"SIGSEGV\"`\n - `\"SIGSTKFLT\"`\n - `\"SIGSTOP\"`\n - `\"SIGSYS\"`\n - `\"SIGTERM\"`\n - `\"SIGTRAP\"`\n - `\"SIGTSTP\"`\n - `\"SIGTTIN\"`\n - `\"SIGTTOU\"`\n - `\"SIGURG\"`\n - `\"SIGUSR1\"`\n - `\"SIGUSR2\"`\n - `\"SIGVTALRM\"`\n - `\"SIGWINCH\"`\n - `\"SIGXCPU\"`\n - `\"SIGXFSZ\"`", + Type: []string{"string"}, + Format: "", + Enum: []interface{}{"SIGABRT", "SIGALRM", "SIGBUS", "SIGCHLD", "SIGCLD", "SIGCONT", "SIGFPE", "SIGHUP", "SIGILL", "SIGINT", "SIGIO", "SIGIOT", "SIGKILL", "SIGPIPE", "SIGPOLL", "SIGPROF", "SIGPWR", "SIGQUIT", "SIGRTMAX", "SIGRTMAX-1", "SIGRTMAX-10", "SIGRTMAX-11", "SIGRTMAX-12", "SIGRTMAX-13", "SIGRTMAX-14", "SIGRTMAX-2", "SIGRTMAX-3", "SIGRTMAX-4", "SIGRTMAX-5", "SIGRTMAX-6", "SIGRTMAX-7", "SIGRTMAX-8", "SIGRTMAX-9", "SIGRTMIN", "SIGRTMIN+1", "SIGRTMIN+10", "SIGRTMIN+11", "SIGRTMIN+12", "SIGRTMIN+13", "SIGRTMIN+14", "SIGRTMIN+15", "SIGRTMIN+2", "SIGRTMIN+3", "SIGRTMIN+4", "SIGRTMIN+5", "SIGRTMIN+6", "SIGRTMIN+7", "SIGRTMIN+8", "SIGRTMIN+9", "SIGSEGV", "SIGSTKFLT", "SIGSTOP", "SIGSYS", "SIGTERM", "SIGTRAP", "SIGTSTP", "SIGTTIN", "SIGTTOU", "SIGURG", "SIGUSR1", "SIGUSR2", "SIGVTALRM", "SIGWINCH", "SIGXCPU", "SIGXFSZ"}, + }, + }, }, Required: []string{"name", "ready", "restartCount", "image", "imageID"}, }, @@ -68468,7 +69246,7 @@ func schema_k8sio_api_core_v1_EndpointAddress(ref common.ReferenceCallback) comm return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EndpointAddress is a tuple that describes single IP address.", + Description: "EndpointAddress is a tuple that describes single IP address. Deprecated: This API is deprecated in v1.33+.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "ip": { @@ -68517,7 +69295,7 @@ func schema_k8sio_api_core_v1_EndpointPort(ref common.ReferenceCallback) common. return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EndpointPort is a tuple that describes a single port.", + Description: "EndpointPort is a tuple that describes a single port. Deprecated: This API is deprecated in v1.33+.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "name": { @@ -68566,7 +69344,7 @@ func schema_k8sio_api_core_v1_EndpointSubset(ref common.ReferenceCallback) commo return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:\n\n\t{\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t}\n\nThe resulting set of endpoints can be viewed as:\n\n\ta: [ 10.10.1.1:8675, 10.10.2.2:8675 ],\n\tb: [ 10.10.1.1:309, 10.10.2.2:309 ]", + Description: "EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:\n\n\t{\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t}\n\nThe resulting set of endpoints can be viewed as:\n\n\ta: [ 10.10.1.1:8675, 10.10.2.2:8675 ],\n\tb: [ 10.10.1.1:309, 10.10.2.2:309 ]\n\nDeprecated: This API is deprecated in v1.33+.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "addresses": { @@ -68638,7 +69416,7 @@ func schema_k8sio_api_core_v1_Endpoints(ref common.ReferenceCallback) common.Ope return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "Endpoints is a collection of endpoints that implement the actual service. Example:\n\n\t Name: \"mysvc\",\n\t Subsets: [\n\t {\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t },\n\t {\n\t Addresses: [{\"ip\": \"10.10.3.3\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 93}, {\"name\": \"b\", \"port\": 76}]\n\t },\n\t]", + Description: "Endpoints is a collection of endpoints that implement the actual service. Example:\n\n\t Name: \"mysvc\",\n\t Subsets: [\n\t {\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t },\n\t {\n\t Addresses: [{\"ip\": \"10.10.3.3\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 93}, {\"name\": \"b\", \"port\": 76}]\n\t },\n\t]\n\nEndpoints is a legacy API and does not contain information about all Service features. Use discoveryv1.EndpointSlice for complete information about Service endpoints.\n\nDeprecated: This API is deprecated in v1.33+. Use discoveryv1.EndpointSlice.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -68693,7 +69471,7 @@ func schema_k8sio_api_core_v1_EndpointsList(ref common.ReferenceCallback) common return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EndpointsList is a list of endpoints.", + Description: "EndpointsList is a list of endpoints. Deprecated: This API is deprecated in v1.33+.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { @@ -68744,12 +69522,12 @@ func schema_k8sio_api_core_v1_EnvFromSource(ref common.ReferenceCallback) common return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "EnvFromSource represents the source of a set of ConfigMaps", + Description: "EnvFromSource represents the source of a set of ConfigMaps or Secrets", Type: []string{"object"}, Properties: map[string]spec.Schema{ "prefix": { SchemaProps: spec.SchemaProps{ - Description: "An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.", + Description: "Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.", Type: []string{"string"}, Format: "", }, @@ -70651,6 +71429,14 @@ func schema_k8sio_api_core_v1_Lifecycle(ref common.ReferenceCallback) common.Ope Ref: ref("k8s.io/api/core/v1.LifecycleHandler"), }, }, + "stopSignal": { + SchemaProps: spec.SchemaProps{ + Description: "StopSignal defines which signal will be sent to a container when it is being stopped. If not specified, the default is defined by the container runtime in use. StopSignal can only be set for Pods with a non-empty .spec.os.name\n\nPossible enum values:\n - `\"SIGABRT\"`\n - `\"SIGALRM\"`\n - `\"SIGBUS\"`\n - `\"SIGCHLD\"`\n - `\"SIGCLD\"`\n - `\"SIGCONT\"`\n - `\"SIGFPE\"`\n - `\"SIGHUP\"`\n - `\"SIGILL\"`\n - `\"SIGINT\"`\n - `\"SIGIO\"`\n - `\"SIGIOT\"`\n - `\"SIGKILL\"`\n - `\"SIGPIPE\"`\n - `\"SIGPOLL\"`\n - `\"SIGPROF\"`\n - `\"SIGPWR\"`\n - `\"SIGQUIT\"`\n - `\"SIGRTMAX\"`\n - `\"SIGRTMAX-1\"`\n - `\"SIGRTMAX-10\"`\n - `\"SIGRTMAX-11\"`\n - `\"SIGRTMAX-12\"`\n - `\"SIGRTMAX-13\"`\n - `\"SIGRTMAX-14\"`\n - `\"SIGRTMAX-2\"`\n - `\"SIGRTMAX-3\"`\n - `\"SIGRTMAX-4\"`\n - `\"SIGRTMAX-5\"`\n - `\"SIGRTMAX-6\"`\n - `\"SIGRTMAX-7\"`\n - `\"SIGRTMAX-8\"`\n - `\"SIGRTMAX-9\"`\n - `\"SIGRTMIN\"`\n - `\"SIGRTMIN+1\"`\n - `\"SIGRTMIN+10\"`\n - `\"SIGRTMIN+11\"`\n - `\"SIGRTMIN+12\"`\n - `\"SIGRTMIN+13\"`\n - `\"SIGRTMIN+14\"`\n - `\"SIGRTMIN+15\"`\n - `\"SIGRTMIN+2\"`\n - `\"SIGRTMIN+3\"`\n - `\"SIGRTMIN+4\"`\n - `\"SIGRTMIN+5\"`\n - `\"SIGRTMIN+6\"`\n - `\"SIGRTMIN+7\"`\n - `\"SIGRTMIN+8\"`\n - `\"SIGRTMIN+9\"`\n - `\"SIGSEGV\"`\n - `\"SIGSTKFLT\"`\n - `\"SIGSTOP\"`\n - `\"SIGSYS\"`\n - `\"SIGTERM\"`\n - `\"SIGTRAP\"`\n - `\"SIGTSTP\"`\n - `\"SIGTTIN\"`\n - `\"SIGTTOU\"`\n - `\"SIGURG\"`\n - `\"SIGUSR1\"`\n - `\"SIGUSR2\"`\n - `\"SIGVTALRM\"`\n - `\"SIGWINCH\"`\n - `\"SIGXCPU\"`\n - `\"SIGXFSZ\"`", + Type: []string{"string"}, + Format: "", + Enum: []interface{}{"SIGABRT", "SIGALRM", "SIGBUS", "SIGCHLD", "SIGCLD", "SIGCONT", "SIGFPE", "SIGHUP", "SIGILL", "SIGINT", "SIGIO", "SIGIOT", "SIGKILL", "SIGPIPE", "SIGPOLL", "SIGPROF", "SIGPWR", "SIGQUIT", "SIGRTMAX", "SIGRTMAX-1", "SIGRTMAX-10", "SIGRTMAX-11", "SIGRTMAX-12", "SIGRTMAX-13", "SIGRTMAX-14", "SIGRTMAX-2", "SIGRTMAX-3", "SIGRTMAX-4", "SIGRTMAX-5", "SIGRTMAX-6", "SIGRTMAX-7", "SIGRTMAX-8", "SIGRTMAX-9", "SIGRTMIN", "SIGRTMIN+1", "SIGRTMIN+10", "SIGRTMIN+11", "SIGRTMIN+12", "SIGRTMIN+13", "SIGRTMIN+14", "SIGRTMIN+15", "SIGRTMIN+2", "SIGRTMIN+3", "SIGRTMIN+4", "SIGRTMIN+5", "SIGRTMIN+6", "SIGRTMIN+7", "SIGRTMIN+8", "SIGRTMIN+9", "SIGSEGV", "SIGSTKFLT", "SIGSTOP", "SIGSYS", "SIGTERM", "SIGTRAP", "SIGTSTP", "SIGTTIN", "SIGTTOU", "SIGURG", "SIGUSR1", "SIGUSR2", "SIGVTALRM", "SIGWINCH", "SIGXCPU", "SIGXFSZ"}, + }, + }, }, }, }, @@ -72327,6 +73113,26 @@ func schema_k8sio_api_core_v1_NodeStatus(ref common.ReferenceCallback) common.Op } } +func schema_k8sio_api_core_v1_NodeSwapStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NodeSwapStatus represents swap memory information.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "capacity": { + SchemaProps: spec.SchemaProps{ + Description: "Total amount of swap memory in bytes.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + }, + }, + }, + } +} + func schema_k8sio_api_core_v1_NodeSystemInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -72414,10 +73220,18 @@ func schema_k8sio_api_core_v1_NodeSystemInfo(ref common.ReferenceCallback) commo Format: "", }, }, + "swap": { + SchemaProps: spec.SchemaProps{ + Description: "Swap Info reported by the node.", + Ref: ref("k8s.io/api/core/v1.NodeSwapStatus"), + }, + }, }, Required: []string{"machineID", "systemUUID", "bootID", "kernelVersion", "osImage", "containerRuntimeVersion", "kubeletVersion", "kubeProxyVersion", "operatingSystem", "architecture"}, }, }, + Dependencies: []string{ + "k8s.io/api/core/v1.NodeSwapStatus"}, } } @@ -73687,7 +74501,7 @@ func schema_k8sio_api_core_v1_PodAffinityTerm(ref common.ReferenceCallback) comm }, }, SchemaProps: spec.SchemaProps{ - Description: "MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).", + Description: "MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -73707,7 +74521,7 @@ func schema_k8sio_api_core_v1_PodAffinityTerm(ref common.ReferenceCallback) comm }, }, SchemaProps: spec.SchemaProps{ - Description: "MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).", + Description: "MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -73859,6 +74673,13 @@ func schema_k8sio_api_core_v1_PodCondition(ref common.ReferenceCallback) common. Format: "", }, }, + "observedGeneration": { + SchemaProps: spec.SchemaProps{ + Description: "If set, this represents the .metadata.generation that the pod condition was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.", + Type: []string{"integer"}, + Format: "int64", + }, + }, "status": { SchemaProps: spec.SchemaProps{ Description: "Status is the status of the condition. Can be True, False, Unknown. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions", @@ -74662,7 +75483,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA }, }, SchemaProps: spec.SchemaProps{ - Description: "List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/", + Description: "List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -75119,6 +75940,13 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope Description: "PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.", Type: []string{"object"}, Properties: map[string]spec.Schema{ + "observedGeneration": { + SchemaProps: spec.SchemaProps{ + Description: "If set, this represents the .metadata.generation that the pod status was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.", + Type: []string{"integer"}, + Format: "int64", + }, + }, "phase": { SchemaProps: spec.SchemaProps{ Description: "The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:\n\nPending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase\n\nPossible enum values:\n - `\"Failed\"` means that all containers in the pod have terminated, and at least one container has terminated in a failure (exited with a non-zero exit code or was stopped by the system).\n - `\"Pending\"` means the pod has been accepted by the system, but one or more of the containers has not been started. This includes time before being bound to a node, as well as time spent pulling images onto the host.\n - `\"Running\"` means the pod has been bound to a node and all of the containers have been started. At least one container is still running or is in the process of being restarted.\n - `\"Succeeded\"` means that all containers in the pod have voluntarily terminated with a container exit code of 0, and the system is not going to restart any of these containers.\n - `\"Unknown\"` means that for some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod. Deprecated: It isn't being set since 2015 (74da3b14b0c0f658b3bb8d2def5094686d0e9095)", @@ -75304,7 +76132,7 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope }, "resize": { SchemaProps: spec.SchemaProps{ - Description: "Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to \"Proposed\"", + Description: "Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to \"Proposed\" Deprecated: Resize status is moved to two pod conditions PodResizePending and PodResizeInProgress. PodResizePending will track states where the spec has been resized, but the Kubelet has not yet allocated the resources. PodResizeInProgress will track in-progress resizes, and should be present whenever allocated resources != acknowledged resources.", Type: []string{"string"}, Format: "", }, @@ -76265,6 +77093,7 @@ func schema_k8sio_api_core_v1_ReplicationControllerSpec(ref common.ReferenceCall "replicas": { SchemaProps: spec.SchemaProps{ Description: "Replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller", + Default: 1, Type: []string{"integer"}, Format: "int32", }, @@ -76272,6 +77101,7 @@ func schema_k8sio_api_core_v1_ReplicationControllerSpec(ref common.ReferenceCall "minReadySeconds": { SchemaProps: spec.SchemaProps{ Description: "Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)", + Default: 0, Type: []string{"integer"}, Format: "int32", }, @@ -76624,7 +77454,7 @@ func schema_k8sio_api_core_v1_ResourceQuotaSpec(ref common.ReferenceCallback) co Default: "", Type: []string{"string"}, Format: "", - Enum: []interface{}{"BestEffort", "CrossNamespacePodAffinity", "NotBestEffort", "NotTerminating", "PriorityClass", "Terminating"}, + Enum: []interface{}{"BestEffort", "CrossNamespacePodAffinity", "NotBestEffort", "NotTerminating", "PriorityClass", "Terminating", "VolumeAttributesClass"}, }, }, }, @@ -77065,11 +77895,11 @@ func schema_k8sio_api_core_v1_ScopedResourceSelectorRequirement(ref common.Refer Properties: map[string]spec.Schema{ "scopeName": { SchemaProps: spec.SchemaProps{ - Description: "The name of the scope that the selector applies to.\n\nPossible enum values:\n - `\"BestEffort\"` Match all pod objects that have best effort quality of service\n - `\"CrossNamespacePodAffinity\"` Match all pod objects that have cross-namespace pod (anti)affinity mentioned.\n - `\"NotBestEffort\"` Match all pod objects that do not have best effort quality of service\n - `\"NotTerminating\"` Match all pod objects where spec.activeDeadlineSeconds is nil\n - `\"PriorityClass\"` Match all pod objects that have priority class mentioned\n - `\"Terminating\"` Match all pod objects where spec.activeDeadlineSeconds >=0", + Description: "The name of the scope that the selector applies to.\n\nPossible enum values:\n - `\"BestEffort\"` Match all pod objects that have best effort quality of service\n - `\"CrossNamespacePodAffinity\"` Match all pod objects that have cross-namespace pod (anti)affinity mentioned.\n - `\"NotBestEffort\"` Match all pod objects that do not have best effort quality of service\n - `\"NotTerminating\"` Match all pod objects where spec.activeDeadlineSeconds is nil\n - `\"PriorityClass\"` Match all pod objects that have priority class mentioned\n - `\"Terminating\"` Match all pod objects where spec.activeDeadlineSeconds >=0\n - `\"VolumeAttributesClass\"` Match all pvc objects that have volume attributes class mentioned.", Default: "", Type: []string{"string"}, Format: "", - Enum: []interface{}{"BestEffort", "CrossNamespacePodAffinity", "NotBestEffort", "NotTerminating", "PriorityClass", "Terminating"}, + Enum: []interface{}{"BestEffort", "CrossNamespacePodAffinity", "NotBestEffort", "NotTerminating", "PriorityClass", "Terminating", "VolumeAttributesClass"}, }, }, "operator": { @@ -78218,7 +79048,7 @@ func schema_k8sio_api_core_v1_ServiceSpec(ref common.ReferenceCallback) common.O }, "trafficDistribution": { SchemaProps: spec.SchemaProps{ - Description: "TrafficDistribution offers a way to express preferences for how traffic is distributed to Service endpoints. Implementations can use this field as a hint, but are not required to guarantee strict adherence. If the field is not set, the implementation will apply its default routing strategy. If set to \"PreferClose\", implementations should prioritize endpoints that are topologically close (e.g., same zone). This is a beta field and requires enabling ServiceTrafficDistribution feature.", + Description: "TrafficDistribution offers a way to express preferences for how traffic is distributed to Service endpoints. Implementations can use this field as a hint, but are not required to guarantee strict adherence. If the field is not set, the implementation will apply its default routing strategy. If set to \"PreferClose\", implementations should prioritize endpoints that are in the same zone.", Type: []string{"string"}, Format: "", }, @@ -78701,7 +79531,7 @@ func schema_k8sio_api_core_v1_TopologySpreadConstraint(ref common.ReferenceCallb }, "nodeAffinityPolicy": { SchemaProps: spec.SchemaProps{ - Description: "NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", + Description: "NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", Type: []string{"string"}, Format: "", Enum: []interface{}{"Honor", "Ignore"}, @@ -78709,7 +79539,7 @@ func schema_k8sio_api_core_v1_TopologySpreadConstraint(ref common.ReferenceCallb }, "nodeTaintsPolicy": { SchemaProps: spec.SchemaProps{ - Description: "NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", + Description: "NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", Type: []string{"string"}, Format: "", Enum: []interface{}{"Honor", "Ignore"}, @@ -79021,7 +79851,7 @@ func schema_k8sio_api_core_v1_Volume(ref common.ReferenceCallback) common.OpenAP }, "image": { SchemaProps: spec.SchemaProps{ - Description: "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", + Description: "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", Ref: ref("k8s.io/api/core/v1.ImageVolumeSource"), }, }, @@ -79466,7 +80296,7 @@ func schema_k8sio_api_core_v1_VolumeSource(ref common.ReferenceCallback) common. }, "image": { SchemaProps: spec.SchemaProps{ - Description: "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", + Description: "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", Ref: ref("k8s.io/api/core/v1.ImageVolumeSource"), }, }, diff --git a/openapi/openapi.json b/openapi/openapi.json index 2bdecc054d1..3c5241ac060 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -526,14 +526,6 @@ "com.github.openshift.api.apps.v1.DeploymentConfigStatus": { "description": "DeploymentConfigStatus represents the current deployment state.", "type": "object", - "required": [ - "latestVersion", - "observedGeneration", - "replicas", - "updatedReplicas", - "availableReplicas", - "unavailableReplicas" - ], "properties": { "availableReplicas": { "description": "availableReplicas is the total number of available pods targeted by this deployment config.", @@ -2147,9 +2139,6 @@ "com.github.openshift.api.authorization.v1.SubjectRulesReviewStatus": { "description": "SubjectRulesReviewStatus is contains the result of a rules check", "type": "object", - "required": [ - "rules" - ], "properties": { "evaluationError": { "description": "evaluationError can appear in combination with Rules. It means some error happened during evaluation that may have prevented additional rules from being populated.", @@ -2482,9 +2471,6 @@ "com.github.openshift.api.build.v1.BuildConfigStatus": { "description": "BuildConfigStatus contains current state of the build config object.", "type": "object", - "required": [ - "lastVersion" - ], "properties": { "imageChangeTriggers": { "description": "imageChangeTriggers captures the runtime state of any ImageChangeTrigger specified in the BuildConfigSpec, including the value reconciled by the OpenShift APIServer for the lastTriggeredImageID. There is a single entry in this array for each image change trigger in spec. Each trigger status references the ImageStreamTag that acts as the source of the trigger.", @@ -2844,9 +2830,6 @@ "com.github.openshift.api.build.v1.BuildStatus": { "description": "BuildStatus contains the status of a build", "type": "object", - "required": [ - "phase" - ], "properties": { "cancelled": { "description": "cancelled describes if a cancel event was triggered for the build.", @@ -4154,7 +4137,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.APIServerServingCerts" }, "tlsSecurityProfile": { - "description": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nIf unset, a default (which may change between releases) is chosen. Note that only Old, Intermediate and Custom profiles are currently supported, and the maximum available minTLSVersion is VersionTLS12.", + "description": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nWhen omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is the Intermediate profile.", "$ref": "#/definitions/com.github.openshift.api.config.v1.TLSSecurityProfile" } } @@ -4182,7 +4165,8 @@ "properties": { "type": { "description": "type allows user to set a load balancer type. When this field is set the default ingresscontroller will get created using the specified LBType. If this field is not set then the default ingress controller of LBType Classic will be created. Valid values are:\n\n* \"Classic\": A Classic Load Balancer that makes routing decisions at either\n the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See\n the following for additional details:\n\n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb\n\n* \"NLB\": A Network Load Balancer that makes routing decisions at the\n transport layer (TCP/SSL). See the following for additional details:\n\n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb", - "type": "string" + "type": "string", + "default": "" } }, "x-kubernetes-unions": [ @@ -4513,7 +4497,8 @@ }, "profile": { "description": "profile specifies the name of the desired audit policy configuration to be deployed to all OpenShift-provided API servers in the cluster.\n\nThe following profiles are provided: - Default: the existing default policy. - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for write requests (create, update, patch). - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response HTTP payloads for read requests (get, list). - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.\n\nIf unset, the 'Default' profile is used as the default.", - "type": "string" + "type": "string", + "default": "" } } }, @@ -4626,10 +4611,6 @@ }, "com.github.openshift.api.config.v1.AuthenticationStatus": { "type": "object", - "required": [ - "integratedOAuthMetadata", - "oidcClients" - ], "properties": { "integratedOAuthMetadata": { "description": "integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 Authorization Server Metadata for the in-cluster integrated OAuth server. This discovery document can be viewed from its served location: oc get --raw '/.well-known/oauth-authorization-server' For further details, see the IETF Draft: https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 This contains the observed value based on cluster state. An explicitly set value in spec.oauthMetadata has precedence over this field. This field has no meaning if authentication spec.type is not set to IntegratedOAuth. The key \"oauthMetadata\" is used to locate the data. If the config map or expected key is not found, no metadata is served. If the specified metadata is not valid, no metadata is served. The namespace for this config map is openshift-config-managed.", @@ -4666,6 +4647,13 @@ "description": "armEndpoint specifies a URL to use for resource management in non-soverign clouds such as Azure Stack.", "type": "string" }, + "cloudLoadBalancerConfig": { + "description": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", + "default": { + "dnsType": "PlatformDefault" + }, + "$ref": "#/definitions/com.github.openshift.api.config.v1.CloudLoadBalancerConfig" + }, "cloudName": { "description": "cloudName is the name of the Azure cloud environment which can be used to configure the Azure SDK with the appropriate Azure API endpoints. If empty, the value is equal to `AzurePublicCloud`.", "type": "string" @@ -5127,6 +5115,110 @@ } } }, + "com.github.openshift.api.config.v1.ClusterImagePolicy": { + "description": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "spec contains the configuration for the cluster image policy.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterImagePolicySpec" + }, + "status": { + "description": "status contains the observed state of the resource.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterImagePolicyStatus" + } + } + }, + "com.github.openshift.api.config.v1.ClusterImagePolicyList": { + "description": "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "metadata", + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "items is a list of ClusterImagePolices", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterImagePolicy" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.config.v1.ClusterImagePolicySpec": { + "description": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", + "type": "object", + "required": [ + "scopes", + "policy" + ], + "properties": { + "policy": { + "description": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.Policy" + }, + "scopes": { + "description": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + } + } + }, + "com.github.openshift.api.config.v1.ClusterImagePolicyStatus": { + "type": "object", + "properties": { + "conditions": { + "description": "conditions provide details on the status of this API Resource.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + } + } + }, "com.github.openshift.api.config.v1.ClusterNetworkEntry": { "description": "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", "type": "object", @@ -5147,7 +5239,7 @@ } }, "com.github.openshift.api.config.v1.ClusterOperator": { - "description": "ClusterOperator is the Custom Resource object which holds the current state of an operator. This object is used by operators to convey their state to the rest of the cluster.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "description": "ClusterOperator holds the status of a core or optional OpenShift component managed by the Cluster Version Operator (CVO). This object is used by operators to convey their state to the rest of the cluster. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", "required": [ "metadata", @@ -5403,7 +5495,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterVersionCapabilitiesSpec" }, "channel": { - "description": "channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters.", + "description": "channel is an identifier for explicitly requesting a non-default set of updates to be applied to this cluster. The default channel will contain stable updates that are appropriate for production clusters.", "type": "string" }, "clusterID": { @@ -5455,7 +5547,6 @@ "desired", "observedGeneration", "versionHash", - "capabilities", "availableUpdates" ], "properties": { @@ -5848,9 +5939,6 @@ "com.github.openshift.api.config.v1.ConsoleStatus": { "description": "ConsoleStatus defines the observed status of the Console.", "type": "object", - "required": [ - "consoleURL" - ], "properties": { "consoleURL": { "description": "The URL for the console. This will be derived from the host for the route that is created for the console.", @@ -6243,7 +6331,7 @@ "default": "" }, "valueExpression": { - "description": "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 4096 characters in length. valueExpression must not be empty.", + "description": "valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. \"\", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nvalueExpression must not exceed 1024 characters in length. valueExpression must not be empty.", "type": "string", "default": "" } @@ -6397,9 +6485,6 @@ }, "com.github.openshift.api.config.v1.FeatureGateStatus": { "type": "object", - "required": [ - "featureGates" - ], "properties": { "conditions": { "description": "conditions represent the observations of the current state. Known .status.conditions.type are: \"DeterminationDegraded\"", @@ -6449,6 +6534,32 @@ } } }, + "com.github.openshift.api.config.v1.FulcioCAWithRekor": { + "description": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "type": "object", + "required": [ + "fulcioCAData", + "rekorKeyData", + "fulcioSubject" + ], + "properties": { + "fulcioCAData": { + "description": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + "type": "string", + "format": "byte" + }, + "fulcioSubject": { + "description": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyFulcioSubject" + }, + "rekorKeyData": { + "description": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + "type": "string", + "format": "byte" + } + } + }, "com.github.openshift.api.config.v1.GCPPlatformSpec": { "description": "GCPPlatformSpec holds the desired state of the Google Cloud Platform infrastructure provider. This only includes fields that can be modified in the cluster.", "type": "object" @@ -6503,7 +6614,7 @@ "x-kubernetes-list-type": "map" }, "serviceEndpoints": { - "description": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 9.", + "description": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 11.", "type": "array", "items": { "default": {}, @@ -6885,7 +6996,7 @@ "type": "object", "properties": { "serviceEndpoints": { - "description": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", + "description": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", "type": "array", "items": { "default": {}, @@ -6923,7 +7034,7 @@ "type": "string" }, "serviceEndpoints": { - "description": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", + "description": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints.", "type": "array", "items": { "default": {}, @@ -7327,6 +7438,110 @@ } } }, + "com.github.openshift.api.config.v1.ImagePolicy": { + "description": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "spec holds user settable values for configuration", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ImagePolicySpec" + }, + "status": { + "description": "status contains the observed state of the resource.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ImagePolicyStatus" + } + } + }, + "com.github.openshift.api.config.v1.ImagePolicyList": { + "description": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "metadata", + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "items is a list of ImagePolicies", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ImagePolicy" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.config.v1.ImagePolicySpec": { + "description": "ImagePolicySpec is the specification of the ImagePolicy CRD.", + "type": "object", + "required": [ + "scopes", + "policy" + ], + "properties": { + "policy": { + "description": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.Policy" + }, + "scopes": { + "description": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + } + } + }, + "com.github.openshift.api.config.v1.ImagePolicyStatus": { + "type": "object", + "properties": { + "conditions": { + "description": "conditions provide details on the status of this API Resource. condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + } + } + }, "com.github.openshift.api.config.v1.ImageSpec": { "type": "object", "properties": { @@ -7583,14 +7798,6 @@ "com.github.openshift.api.config.v1.InfrastructureStatus": { "description": "InfrastructureStatus describes the infrastructure the cluster is leveraging.", "type": "object", - "required": [ - "infrastructureName", - "etcdDiscoveryDomain", - "apiServerURL", - "apiServerInternalURI", - "controlPlaneTopology", - "infrastructureTopology" - ], "properties": { "apiServerInternalURI": { "description": "apiServerInternalURL is a valid URI with scheme 'https', address and optionally a port (defaulting to 443). apiServerInternalURL can be used by components like kubelets, to contact the Kubernetes API server using the infrastructure provider rather than Kubernetes networking.", @@ -7624,8 +7831,7 @@ }, "infrastructureTopology": { "description": "infrastructureTopology expresses the expectations for infrastructure services that do not run on control plane nodes, usually indicated by a node selector for a `role` value other than `master`. The default is 'HighlyAvailable', which represents the behavior operators have in a \"normal\" cluster. The 'SingleReplica' mode will be used in single-node deployments and the operators should not configure the operand for highly-available operation NOTE: External topology mode is not applicable for this field.", - "type": "string", - "default": "" + "type": "string" }, "platform": { "description": "platform is the underlying infrastructure provider for the cluster.\n\nDeprecated: Use platformStatus.type instead.", @@ -8783,37 +8989,36 @@ } }, "com.github.openshift.api.config.v1.OIDCClientConfig": { + "description": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", "type": "object", "required": [ "componentName", "componentNamespace", - "clientID", - "clientSecret", - "extraScopes" + "clientID" ], "properties": { "clientID": { - "description": "clientID is the identifier of the OIDC client from the OIDC provider", + "description": "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").", "type": "string", "default": "" }, "clientSecret": { - "description": "clientSecret refers to a secret in the `openshift-config` namespace that contains the client secret in the `clientSecret` key of the `.data` field", + "description": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.SecretNameReference" }, "componentName": { - "description": "componentName is the name of the component that is supposed to consume this client configuration", + "description": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", "type": "string", "default": "" }, "componentNamespace": { - "description": "componentNamespace is the namespace of the component that is supposed to consume this client configuration", + "description": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", "type": "string", "default": "" }, "extraScopes": { - "description": "extraScopes is an optional set of scopes to request tokens with.", + "description": "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.", "type": "array", "items": { "type": "string", @@ -8824,6 +9029,7 @@ } }, "com.github.openshift.api.config.v1.OIDCClientReference": { + "description": "OIDCClientReference is a reference to a platform component client configuration.", "type": "object", "required": [ "oidcProviderName", @@ -8832,38 +9038,37 @@ ], "properties": { "clientID": { - "description": "clientID is the identifier of the OIDC client from the OIDC provider", + "description": "clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.\n\nclientID must not be empty.", "type": "string", "default": "" }, "issuerURL": { - "description": "URL is the serving URL of the token issuer. Must use the https:// scheme.", + "description": "issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.\n\nissuerURL must use the 'https' scheme.", "type": "string", "default": "" }, "oidcProviderName": { - "description": "OIDCName refers to the `name` of the provider from `oidcProviders`", + "description": "oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.\n\noidcProviderName must not be an empty string (\"\").", "type": "string", "default": "" } } }, "com.github.openshift.api.config.v1.OIDCClientStatus": { + "description": "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.", "type": "object", "required": [ "componentName", - "componentNamespace", - "currentOIDCClients", - "consumingUsers" + "componentNamespace" ], "properties": { "componentName": { - "description": "componentName is the name of the component that will consume a client configuration.", + "description": "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", "type": "string", "default": "" }, "componentNamespace": { - "description": "componentNamespace is the namespace of the component that will consume a client configuration.", + "description": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", "type": "string", "default": "" }, @@ -8880,7 +9085,7 @@ "x-kubernetes-list-type": "map" }, "consumingUsers": { - "description": "consumingUsers is a slice of ServiceAccounts that need to have read permission on the `clientSecret` secret.", + "description": "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.", "type": "array", "items": { "type": "string", @@ -8889,7 +9094,7 @@ "x-kubernetes-list-type": "set" }, "currentOIDCClients": { - "description": "currentOIDCClients is a list of clients that the component is currently using.", + "description": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", "type": "array", "items": { "default": {}, @@ -8908,17 +9113,16 @@ "required": [ "name", "issuer", - "oidcClients", "claimMappings" ], "properties": { "claimMappings": { - "description": "claimMappings describes rules on how to transform information from an ID token into a cluster identity", + "description": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.TokenClaimMappings" }, "claimValidationRules": { - "description": "claimValidationRules are rules that are applied to validate token claims to authenticate users.", + "description": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", "type": "array", "items": { "default": {}, @@ -8927,17 +9131,17 @@ "x-kubernetes-list-type": "atomic" }, "issuer": { - "description": "issuer describes atributes of the OIDC token issuer", + "description": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.TokenIssuer" }, "name": { - "description": "name of the OIDC provider", + "description": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", "type": "string", "default": "" }, "oidcClients": { - "description": "oidcClients contains configuration for the platform's clients that need to request tokens from the issuer", + "description": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", "type": "array", "items": { "default": {}, @@ -9379,6 +9583,45 @@ } } }, + "com.github.openshift.api.config.v1.PKI": { + "description": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "type": "object", + "required": [ + "caRootsData", + "pkiCertificateSubject" + ], + "properties": { + "caIntermediatesData": { + "description": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", + "type": "string", + "format": "byte" + }, + "caRootsData": { + "description": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", + "type": "string", + "format": "byte" + }, + "pkiCertificateSubject": { + "description": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.PKICertificateSubject" + } + } + }, + "com.github.openshift.api.config.v1.PKICertificateSubject": { + "description": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "type": "object", + "properties": { + "email": { + "description": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email must be a valid email address and at most 320 characters in length.", + "type": "string" + }, + "hostname": { + "description": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.PlatformSpec": { "description": "PlatformSpec holds the desired state specific to the underlying infrastructure provider of the current cluster. Since these are used at spec-level for the underlying cluster, it is supposed that only one of the spec structs is set.", "type": "object", @@ -9519,6 +9762,143 @@ } } }, + "com.github.openshift.api.config.v1.Policy": { + "description": "Policy defines the verification policy for the items in the scopes list.", + "type": "object", + "required": [ + "rootOfTrust" + ], + "properties": { + "rootOfTrust": { + "description": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyRootOfTrust" + }, + "signedIdentity": { + "description": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", + "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyIdentity" + } + } + }, + "com.github.openshift.api.config.v1.PolicyFulcioSubject": { + "description": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", + "type": "object", + "required": [ + "oidcIssuer", + "signedEmail" + ], + "properties": { + "oidcIssuer": { + "description": "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", + "type": "string", + "default": "" + }, + "signedEmail": { + "description": "signedEmail is a required field holds the email address that the Fulcio certificate is issued for. The signedEmail must be a valid email address and at most 320 characters in length. Example: \"expected-signing-user@example.com\"", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.config.v1.PolicyIdentity": { + "description": "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", + "type": "object", + "required": [ + "matchPolicy" + ], + "properties": { + "exactRepository": { + "description": "exactRepository specifies the repository that must be exactly matched by the identity in the signature. exactRepository is required if matchPolicy is set to \"ExactRepository\". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyMatchExactRepository" + }, + "matchPolicy": { + "description": "matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. Allowed values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". When set to \"MatchRepoDigestOrExact\", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. When set to \"MatchRepository\", the identity in the signature must be in the same repository as the image identity. When set to \"ExactRepository\", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by \"repository\". When set to \"RemapIdentity\", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", + "type": "string", + "default": "" + }, + "remapIdentity": { + "description": "remapIdentity specifies the prefix remapping rule for verifying image identity. remapIdentity is required if matchPolicy is set to \"RemapIdentity\". It is used to verify that the signature claims a different registry/repository prefix than the original image.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyMatchRemapIdentity" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "matchPolicy", + "fields-to-discriminateBy": { + "exactRepository": "PolicyMatchExactRepository", + "remapIdentity": "PolicyMatchRemapIdentity" + } + } + ] + }, + "com.github.openshift.api.config.v1.PolicyMatchExactRepository": { + "type": "object", + "required": [ + "repository" + ], + "properties": { + "repository": { + "description": "repository is the reference of the image identity to be matched. repository is required if matchPolicy is set to \"ExactRepository\". The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.config.v1.PolicyMatchRemapIdentity": { + "type": "object", + "required": [ + "prefix", + "signedPrefix" + ], + "properties": { + "prefix": { + "description": "prefix is required if matchPolicy is set to \"RemapIdentity\". prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", + "type": "string", + "default": "" + }, + "signedPrefix": { + "description": "signedPrefix is required if matchPolicy is set to \"RemapIdentity\". signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.config.v1.PolicyRootOfTrust": { + "description": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", + "type": "object", + "required": [ + "policyType" + ], + "properties": { + "fulcioCAWithRekor": { + "description": "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", + "$ref": "#/definitions/com.github.openshift.api.config.v1.FulcioCAWithRekor" + }, + "pki": { + "description": "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.PKI" + }, + "policyType": { + "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "type": "string", + "default": "" + }, + "publicKey": { + "description": "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.PublicKey" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "policyType", + "fields-to-discriminateBy": { + "fulcioCAWithRekor": "FulcioCAWithRekor", + "pki": "PKI", + "publicKey": "PublicKey" + } + } + ] + }, "com.github.openshift.api.config.v1.PowerVSPlatformSpec": { "description": "PowerVSPlatformSpec holds the desired state of the IBM Power Systems Virtual Servers infrastructure provider. This only includes fields that can be modified in the cluster.", "type": "object", @@ -9603,19 +9983,19 @@ } }, "com.github.openshift.api.config.v1.PrefixedClaimMapping": { + "description": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", "type": "object", "required": [ - "claim", - "prefix" + "claim" ], "properties": { "claim": { - "description": "claim is a JWT token claim to be used in the mapping", + "description": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", "type": "string", "default": "" }, "prefix": { - "description": "prefix is a string to prefix the value from the token in the result of the claim mapping.\n\nBy default, no prefixing occurs.\n\nExample: if `prefix` is set to \"myoidc:\"\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + "description": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", "type": "string", "default": "" } @@ -9838,6 +10218,25 @@ } } }, + "com.github.openshift.api.config.v1.PublicKey": { + "description": "PublicKey defines the root of trust based on a sigstore public key.", + "type": "object", + "required": [ + "keyData" + ], + "properties": { + "keyData": { + "description": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters.", + "type": "string", + "format": "byte" + }, + "rekorKeyData": { + "description": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + "type": "string", + "format": "byte" + } + } + }, "com.github.openshift.api.config.v1.RegistryLocation": { "description": "RegistryLocation contains a location of the registry specified by the registry domain name. The domain name might include wildcards, like '*' or '??'.", "type": "object", @@ -10484,13 +10883,14 @@ "type": "object" }, "com.github.openshift.api.config.v1.TokenClaimMapping": { + "description": "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", "type": "object", "required": [ "claim" ], "properties": { "claim": { - "description": "claim is a JWT token claim to be used in the mapping", + "description": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", "type": "string", "default": "" } @@ -10498,9 +10898,12 @@ }, "com.github.openshift.api.config.v1.TokenClaimMappings": { "type": "object", + "required": [ + "username" + ], "properties": { "extra": { - "description": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 64 extra attribute mappings may be provided.", + "description": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", "type": "array", "items": { "default": {}, @@ -10512,7 +10915,7 @@ "x-kubernetes-list-type": "map" }, "groups": { - "description": "groups is a name of the claim that should be used to construct groups for the cluster identity. The referenced claim must use array of strings values.", + "description": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.PrefixedClaimMapping" }, @@ -10521,7 +10924,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.TokenClaimOrExpressionMapping" }, "username": { - "description": "username is a name of the claim that should be used to construct usernames for the cluster identity.\n\nDefault value: \"sub\"", + "description": "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.UsernameClaimMapping" } @@ -10536,7 +10939,7 @@ "type": "string" }, "expression": { - "description": "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 4096 characters in length.", + "description": "expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar').\n\nPrecisely one of claim or expression must be set. expression must not be specified when claim is set. When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length.", "type": "string" } } @@ -10556,7 +10959,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.TokenRequiredClaim" }, "type": { - "description": "type sets the type of the validation rule", + "description": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.", "type": "string", "default": "" } @@ -10589,12 +10992,11 @@ ], "properties": { "expression": { - "description": "Expression is a CEL expression evaluated against token claims. The expression must be a non-empty string and no longer than 4096 characters. This field is required.", - "type": "string", - "default": "" + "description": "expression is a CEL expression evaluated against token claims. The expression must be a non-empty string and no longer than 4096 characters. This field is required.", + "type": "string" }, "message": { - "description": "Message allows configuring the human-readable message that is returned from the Kubernetes API server when a token fails validation based on the CEL expression defined in 'expression'. This field is optional.", + "description": "message allows configuring the human-readable message that is returned from the Kubernetes API server when a token fails validation based on the CEL expression defined in 'expression'. This field is optional.", "type": "string" } } @@ -10603,8 +11005,7 @@ "type": "object", "required": [ "issuerURL", - "audiences", - "issuerCertificateAuthority" + "audiences" ], "properties": { "audienceMatchPolicy": { @@ -10612,7 +11013,7 @@ "type": "string" }, "audiences": { - "description": "audiences is an array of audiences that the token was issued for. Valid tokens must include at least one of these values in their \"aud\" claim. Must be set to exactly one value.", + "description": "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", "type": "array", "items": { "type": "string", @@ -10625,12 +11026,12 @@ "type": "string" }, "issuerCertificateAuthority": { - "description": "CertificateAuthority is a reference to a config map in the configuration namespace. The .data of the configMap must contain the \"ca-bundle.crt\" key. If unset, system trust is used instead.", + "description": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.ConfigMapNameReference" }, "issuerURL": { - "description": "URL is the serving URL of the token issuer. Must use the https:// scheme.", + "description": "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nMust be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.", "type": "string", "default": "" } @@ -10649,7 +11050,7 @@ "default": "" }, "requiredValue": { - "description": "requiredValue is the required value for the claim.", + "description": "requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. If the value in the JWT claims does not match, the token will be rejected for authentication.\n\nrequiredValue must not be an empty string (\"\").", "type": "string", "default": "" } @@ -10663,11 +11064,11 @@ ], "properties": { "expression": { - "description": "Expression is a CEL expression that must evaluate to true for the token to be accepted. The expression is evaluated against the token's user information (e.g., username, groups). This field must be non-empty and may not exceed 4096 characters.", + "description": "expression is a CEL expression that must evaluate to true for the token to be accepted. The expression is evaluated against the token's user information (e.g., username, groups). This field must be non-empty and may not exceed 4096 characters.", "type": "string" }, "message": { - "description": "Message is an optional, human-readable message returned by the API server when this validation rule fails. It can help clarify why a token was rejected.", + "description": "message is an optional, human-readable message returned by the API server when this validation rule fails. It can help clarify why a token was rejected.", "type": "string" } } @@ -10710,7 +11111,7 @@ ], "properties": { "acceptedRisks": { - "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overriden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", "type": "string" }, "completionTime": { @@ -10746,33 +11147,43 @@ "com.github.openshift.api.config.v1.UsernameClaimMapping": { "type": "object", "required": [ - "claim", - "prefixPolicy", - "prefix" + "claim" ], "properties": { "claim": { - "description": "claim is a JWT token claim to be used in the mapping", + "description": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", "type": "string", "default": "" }, "prefix": { + "description": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", "$ref": "#/definitions/com.github.openshift.api.config.v1.UsernamePrefix" }, "prefixPolicy": { - "description": "prefixPolicy specifies how a prefix should apply.\n\nBy default, claims other than `email` will be prefixed with the issuer URL to prevent naming clashes with other plugins.\n\nSet to \"NoPrefix\" to disable prefixing.\n\nExample:\n (1) `prefix` is set to \"myoidc:\" and `claim` is set to \"username\".\n If the JWT claim `username` contains value `userA`, the resulting\n mapped value will be \"myoidc:userA\".\n (2) `prefix` is set to \"myoidc:\" and `claim` is set to \"email\". If the\n JWT `email` claim contains value \"userA@myoidc.tld\", the resulting\n mapped value will be \"myoidc:userA@myoidc.tld\".\n (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n (a) \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n (b) \"email\": the mapped value will be \"userA@myoidc.tld\"", + "description": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", "type": "string", "default": "" } - } + }, + "x-kubernetes-unions": [ + { + "discriminator": "prefixPolicy", + "fields-to-discriminateBy": { + "claim": "Claim", + "prefix": "Prefix" + } + } + ] }, "com.github.openshift.api.config.v1.UsernamePrefix": { + "description": "UsernamePrefix configures the string that should be used as a prefix for username claim mappings.", "type": "object", "required": [ "prefixString" ], "properties": { "prefixString": { + "description": "prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.\n\nprefixString must not be an empty string (\"\").", "type": "string", "default": "" } @@ -11171,6 +11582,102 @@ } } }, + "com.github.openshift.api.config.v1alpha1.AlertmanagerConfig": { + "description": "alertmanagerConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.", + "type": "object", + "required": [ + "deploymentMode" + ], + "properties": { + "customConfig": { + "description": "customConfig must be set when deploymentMode is CustomConfig, and must be unset otherwise. When set to CustomConfig, the Alertmanager will be deployed with custom configuration.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.AlertmanagerCustomConfig" + }, + "deploymentMode": { + "description": "deploymentMode determines whether the default Alertmanager instance should be deployed as part of the monitoring stack. Allowed values are Disabled, DefaultConfig, and CustomConfig. When set to Disabled, the Alertmanager instance will not be deployed. When set to DefaultConfig, the platform will deploy Alertmanager with default settings. When set to CustomConfig, the Alertmanager will be deployed with custom configuration.", + "type": "string" + } + } + }, + "com.github.openshift.api.config.v1alpha1.AlertmanagerCustomConfig": { + "description": "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.", + "type": "object", + "properties": { + "logLevel": { + "description": "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", + "type": "string" + }, + "nodeSelector": { + "description": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", + "type": "object", + "additionalProperties": { + "type": "string", + "default": "" + } + }, + "resources": { + "description": "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ContainerResource" + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "secrets": { + "description": "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret- and mounted at /etc/alertmanager/secrets/ within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + }, + "tolerations": { + "description": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.api.core.v1.Toleration" + }, + "x-kubernetes-list-type": "atomic" + }, + "topologySpreadConstraints": { + "description": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.api.core.v1.TopologySpreadConstraint" + }, + "x-kubernetes-list-map-keys": [ + "topologyKey", + "whenUnsatisfiable" + ], + "x-kubernetes-list-type": "map" + }, + "volumeClaimTemplate": { + "description": "volumeClaimTemplate Defines persistent storage for Alertmanager. Use this setting to configure the persistent volume claim, including storage class, volume size, and name. If omitted, the Pod uses ephemeral storage and alert data will not persist across restarts. This field is optional.", + "$ref": "#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim" + } + } + }, + "com.github.openshift.api.config.v1alpha1.Audit": { + "description": "Audit profile configurations", + "type": "object", + "required": [ + "profile" + ], + "properties": { + "profile": { + "description": "profile is a required field for configuring the audit log level of the Kubernetes Metrics Server. Allowed values are None, Metadata, Request, or RequestResponse. When set to None, audit logging is disabled and no audit events are recorded. When set to Metadata, only request metadata (such as requesting user, timestamp, resource, verb, etc.) is logged, but not the request or response body. When set to Request, event metadata and the request body are logged, but not the response body. When set to RequestResponse, event metadata, request body, and response body are all logged, providing the most detailed audit information.\n\nSee: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy for more information about auditing and log levels.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1alpha1.Backup": { "description": "Backup provides configuration for performing backups of the openshift cluster.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -11414,21 +11921,49 @@ "com.github.openshift.api.config.v1alpha1.ClusterMonitoringSpec": { "description": "ClusterMonitoringSpec defines the desired state of Cluster Monitoring Operator", "type": "object", - "required": [ - "userDefined" - ], "properties": { + "alertmanagerConfig": { + "description": "alertmanagerConfig allows users to configure how the default Alertmanager instance should be deployed in the `openshift-monitoring` namespace. alertmanagerConfig is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `DefaultConfig`.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.AlertmanagerConfig" + }, + "metricsServerConfig": { + "description": "metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.MetricsServerConfig" + }, "userDefined": { - "description": "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring.", + "description": "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. userDefined is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `Disabled`.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.UserDefinedMonitoring" } } }, "com.github.openshift.api.config.v1alpha1.ClusterMonitoringStatus": { - "description": "MonitoringOperatorStatus defines the observed state of MonitoringOperator", + "description": "ClusterMonitoringStatus defines the observed state of ClusterMonitoring", "type": "object" }, + "com.github.openshift.api.config.v1alpha1.ContainerResource": { + "description": "ContainerResource defines a single resource requirement for a container.", + "type": "object", + "required": [ + "name" + ], + "properties": { + "limit": { + "description": "limit is the maximum amount of the resource allowed (e.g. \"2Mi\", \"1Gi\"). This field is optional. When request is specified, limit cannot be less than request. The value must be greater than 0 when specified.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" + }, + "name": { + "description": "name of the resource (e.g. \"cpu\", \"memory\", \"hugepages-2Mi\"). This field is required. name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character.", + "type": "string" + }, + "request": { + "description": "request is the minimum amount of the resource required (e.g. \"2Mi\", \"1Gi\"). This field is optional. When limit is specified, request cannot be greater than limit.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" + } + } + }, "com.github.openshift.api.config.v1alpha1.EtcdBackupSpec": { "description": "EtcdBackupSpec provides configuration for automated etcd backups to the cluster-etcd-operator", "type": "object", @@ -11681,6 +12216,63 @@ "com.github.openshift.api.config.v1alpha1.InsightsDataGatherStatus": { "type": "object" }, + "com.github.openshift.api.config.v1alpha1.MetricsServerConfig": { + "description": "MetricsServerConfig provides configuration options for the Metrics Server instance that runs in the `openshift-monitoring` namespace. Use this configuration to control how the Metrics Server instance is deployed, how it logs, and how its pods are scheduled.", + "type": "object", + "properties": { + "audit": { + "description": "audit defines the audit configuration used by the Metrics Server instance. audit is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default sets audit.profile to Metadata", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Audit" + }, + "nodeSelector": { + "description": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", + "type": "object", + "additionalProperties": { + "type": "string", + "default": "" + } + }, + "resources": { + "description": "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ContainerResource" + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "tolerations": { + "description": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.api.core.v1.Toleration" + }, + "x-kubernetes-list-type": "atomic" + }, + "topologySpreadConstraints": { + "description": "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.api.core.v1.TopologySpreadConstraint" + }, + "x-kubernetes-list-map-keys": [ + "topologyKey", + "whenUnsatisfiable" + ], + "x-kubernetes-list-type": "map" + }, + "verbosity": { + "description": "verbosity defines the verbosity of log messages for Metrics Server. Valid values are Errors, Info, Trace, TraceAll and omitted. When set to Errors, only critical messages and errors are logged. When set to Info, only basic information messages are logged. When set to Trace, information useful for general debugging is logged. When set to TraceAll, detailed information about metric scraping is logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Errors`", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1alpha1.PKI": { "description": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", "type": "object", @@ -11870,7 +12462,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PKI" }, "policyType": { - "description": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "description": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", "type": "string", "default": "" }, @@ -11919,7 +12511,8 @@ "maxNumberOfBackups": { "description": "maxNumberOfBackups defines the maximum number of backups to retain. If the existing number of backups saved is equal to MaxNumberOfBackups then the oldest backup will be removed before a new backup is initiated.", "type": "integer", - "format": "int32" + "format": "int32", + "default": 0 } } }, @@ -11968,7 +12561,8 @@ "maxSizeOfBackupsGb": { "description": "maxSizeOfBackupsGb defines the total size in GB of backups to retain. If the current total size backups exceeds MaxSizeOfBackupsGb then the oldest backup will be removed before a new backup is initiated.", "type": "integer", - "format": "int32" + "format": "int32", + "default": 0 } } }, @@ -11998,7 +12592,7 @@ ], "properties": { "mode": { - "description": "mode defines the different configurations of UserDefinedMonitoring Valid values are Disabled and NamespaceIsolated Disabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. NamespaceIsolated enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level.\n\nPossible enum values:\n - `\"Disabled\"` disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces.\n - `\"NamespaceIsolated\"` enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level.", + "description": "mode defines the different configurations of UserDefinedMonitoring Valid values are Disabled and NamespaceIsolated Disabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. NamespaceIsolated enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level. The current default value is `Disabled`.\n\nPossible enum values:\n - `\"Disabled\"` disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces.\n - `\"NamespaceIsolated\"` enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level.", "type": "string", "default": "", "enum": [ @@ -12818,8 +13412,7 @@ "properties": { "basePath": { "description": "basePath is the path to the plugin's assets. The primary asset it the manifest file called `plugin-manifest.json`, which is a JSON document that contains metadata about the plugin and the extensions.", - "type": "string", - "default": "" + "type": "string" }, "name": { "description": "name of Service that is serving the plugin assets.", @@ -13469,7 +14062,8 @@ }, "type": { "description": "type determines which of the union members should be populated.", - "type": "string" + "type": "string", + "default": "" } }, "x-kubernetes-unions": [ @@ -13490,7 +14084,8 @@ "properties": { "type": { "description": "type is the discriminator. It has different values for Default and for TechPreviewNoUpgrade", - "type": "string" + "type": "string", + "default": "" } } }, @@ -14682,9 +15277,6 @@ "com.github.openshift.api.image.v1.ImageStreamStatus": { "description": "ImageStreamStatus contains information about the state of this image stream.", "type": "object", - "required": [ - "dockerImageRepository" - ], "properties": { "dockerImageRepository": { "description": "dockerImageRepository represents the effective location this stream may be accessed at. May be empty until the server determines where the repository is located", @@ -15535,6 +16127,393 @@ } } }, + "com.github.openshift.api.insights.v1alpha2.Custom": { + "description": "custom provides the custom configuration of gatherers", + "type": "object", + "required": [ + "configs" + ], + "properties": { + "configs": { + "description": "configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. It may not exceed 100 items and each gatherer can be present only once. It is possible to disable an entire set of gatherers while allowing a specific function within that set. The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.GathererConfig" + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + } + } + }, + "com.github.openshift.api.insights.v1alpha2.DataGather": { + "description": "DataGather provides data gather configuration options and status for the particular Insights data gathering.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "type": "object", + "required": [ + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "spec holds user settable values for configuration", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.DataGatherSpec" + }, + "status": { + "description": "status holds observed values from the cluster. They may not be overridden.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.DataGatherStatus" + } + } + }, + "com.github.openshift.api.insights.v1alpha2.DataGatherList": { + "description": "DataGatherList is a collection of items\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "items contains a list of DataGather resources.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.DataGather" + }, + "x-kubernetes-list-type": "atomic" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.insights.v1alpha2.DataGatherSpec": { + "description": "DataGatherSpec contains the configuration for the DataGather.", + "type": "object", + "properties": { + "dataPolicy": { + "description": "dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. It may not exceed 2 items and must not contain duplicates. Valid values are ObfuscateNetworking and WorkloadNames. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. When omitted no obfuscation is applied.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, + "gatherers": { + "description": "gatherers is an optional field that specifies the configuration of the gatherers. If omitted, all gatherers will be run.", + "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.Gatherers" + }, + "storage": { + "description": "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", + "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.Storage" + } + } + }, + "com.github.openshift.api.insights.v1alpha2.DataGatherStatus": { + "description": "DataGatherStatus contains information relating to the DataGather state.", + "type": "object", + "properties": { + "conditions": { + "description": "conditions is an optional field that provides details on the status of the gatherer job. It may not exceed 100 items and must not contain duplicates.\n\nThe current condition types are DataUploaded, DataRecorded, DataProcessed, RemoteConfigurationNotAvailable, RemoteConfigurationInvalid\n\nThe DataUploaded condition is used to represent whether or not the archive was successfully uploaded for further processing. When it has a status of True and a reason of Succeeded, the archive was successfully uploaded. When it has a status of Unknown and a reason of NoUploadYet, the upload has not occurred, or there was no data to upload. When it has a status of False and a reason Failed, the upload failed. The accompanying message will include the specific error encountered.\n\nThe DataRecorded condition is used to represent whether or not the archive was successfully recorded. When it has a status of True and a reason of Succeeded, the archive was recorded successfully. When it has a status of Unknown and a reason of NoDataGatheringYet, the data gathering process has not started yet. When it has a status of False and a reason of RecordingFailed, the recording failed and a message will include the specific error encountered.\n\nThe DataProcessed condition is used to represent whether or not the archive was processed by the processing service. When it has a status of True and a reason of Processed, the data was processed successfully. When it has a status of Unknown and a reason of NothingToProcessYet, there is no data to process at the moment. When it has a status of False and a reason of Failure, processing failed and a message will include the specific error encountered.\n\nThe RemoteConfigurationAvailable condition is used to represent whether the remote configuration is available. When it has a status of Unknown and a reason of Unknown or RemoteConfigNotRequestedYet, the state of the remote configuration is unknown—typically at startup. When it has a status of True and a reason of Succeeded, the configuration is available. When it has a status of False and a reason of NoToken, the configuration was disabled by removing the cloud.openshift.com field from the pull secret. When it has a status of False and a reason of DisabledByConfiguration, the configuration was disabled in insightsdatagather.config.openshift.io.\n\nThe RemoteConfigurationValid condition is used to represent whether the remote configuration is valid. When it has a status of Unknown and a reason of Unknown or NoValidationYet, the validity of the remote configuration is unknown—typically at startup. When it has a status of True and a reason of Succeeded, the configuration is valid. When it has a status of False and a reason of Invalid, the configuration is invalid.\n\nThe Progressing condition is used to represent the phase of gathering When it has a status of False and the reason is DataGatherPending, the gathering has not started yet. When it has a status of True and reason is Gathering, the gathering is running. When it has a status of False and reason is GatheringSucceeded, the gathering succesfully finished. When it has a status of False and reason is GatheringFailed, the gathering failed.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "finishTime": { + "description": "finishTime is the time when Insights data gathering finished.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + }, + "gatherers": { + "description": "gatherers is a list of active gatherers (and their statuses) in the last gathering.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.GathererStatus" + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "insightsReport": { + "description": "insightsReport provides general Insights analysis results. When omitted, this means no data gathering has taken place yet or the corresponding Insights analysis (identified by \"insightsRequestID\") is not available.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.InsightsReport" + }, + "insightsRequestID": { + "description": "insightsRequestID is an optional Insights request ID to track the status of the Insights analysis (in console.redhat.com processing pipeline) for the corresponding Insights data archive. It may not exceed 256 characters and is immutable once set.", + "type": "string" + }, + "relatedObjects": { + "description": "relatedObjects is an optional list of resources which are useful when debugging or inspecting the data gathering Pod It may not exceed 100 items and must not contain duplicates.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.ObjectReference" + }, + "x-kubernetes-list-map-keys": [ + "name", + "namespace" + ], + "x-kubernetes-list-type": "map" + }, + "startTime": { + "description": "startTime is the time when Insights data gathering started.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + } + } + }, + "com.github.openshift.api.insights.v1alpha2.GathererConfig": { + "description": "gathererConfig allows to configure specific gatherers", + "type": "object", + "required": [ + "name", + "state" + ], + "properties": { + "name": { + "description": "name is the required name of a specific gatherer It may not exceed 256 characters. The format for a gatherer name is: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", + "type": "string", + "default": "" + }, + "state": { + "description": "state is a required field that allows you to configure specific gatherer. Valid values are \"Enabled\" and \"Disabled\". When set to Enabled the gatherer will run. When set to Disabled the gatherer will not run.", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.insights.v1alpha2.GathererStatus": { + "description": "gathererStatus represents information about a particular data gatherer.", + "type": "object", + "required": [ + "name", + "lastGatherSeconds" + ], + "properties": { + "conditions": { + "description": "conditions provide details on the status of each gatherer.\n\nThe current condition type is DataGathered\n\nThe DataGathered condition is used to represent whether or not the data was gathered by a gatherer specified by name. When it has a status of True and a reason of GatheredOK, the data has been successfully gathered as expected. When it has a status of False and a reason of NoData, no data was gathered—for example, when the resource is not present in the cluster. When it has a status of False and a reason of GatherError, an error occurred and no data was gathered. When it has a status of False and a reason of GatherPanic, a panic occurred during gathering and no data was collected. When it has a status of False and a reason of GatherWithErrorReason, data was partially gathered or gathered with an error message.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "lastGatherSeconds": { + "description": "lastGatherSeconds is required field that represents the time spent gathering in seconds", + "type": "integer", + "format": "int32", + "default": 0 + }, + "name": { + "description": "name is the required name of the gatherer. It must contain at least 5 characters and may not exceed 256 characters.", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.insights.v1alpha2.Gatherers": { + "description": "Gathereres specifies the configuration of the gatherers", + "type": "object", + "required": [ + "mode" + ], + "properties": { + "custom": { + "description": "custom provides gathering configuration. It is required when mode is Custom, and forbidden otherwise. Custom configuration allows user to disable only a subset of gatherers. Gatherers that are not explicitly disabled in custom configuration will run.", + "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.Custom" + }, + "mode": { + "description": "mode is a required field that specifies the mode for gatherers. Allowed values are All and Custom. When set to All, all gatherers wil run and gather data. When set to Custom, the custom configuration from the custom field will be applied.", + "type": "string", + "default": "" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "mode", + "fields-to-discriminateBy": { + "custom": "Custom" + } + } + ] + }, + "com.github.openshift.api.insights.v1alpha2.HealthCheck": { + "description": "healthCheck represents an Insights health check attributes.", + "type": "object", + "required": [ + "description", + "totalRisk", + "advisorURI" + ], + "properties": { + "advisorURI": { + "description": "advisorURI is required field that provides the URL link to the Insights Advisor. The link must be a valid HTTPS URL and the maximum length is 2048 characters.", + "type": "string", + "default": "" + }, + "description": { + "description": "description is required field that provides basic description of the healtcheck. It must contain at least 10 characters and may not exceed 2048 characters.", + "type": "string", + "default": "" + }, + "totalRisk": { + "description": "totalRisk is the required field of the healthcheck. It is indicator of the total risk posed by the detected issue; combination of impact and likelihood. Allowed values are Low, Medium, Important and Critical. The value represents the severity of the issue.", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.insights.v1alpha2.InsightsReport": { + "description": "insightsReport provides Insights health check report based on the most recently sent Insights data.", + "type": "object", + "properties": { + "downloadedTime": { + "description": "downloadedTime is an optional time when the last Insights report was downloaded. An empty value means that there has not been any Insights report downloaded yet and it usually appears in disconnected clusters (or clusters when the Insights data gathering is disabled).", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + }, + "healthChecks": { + "description": "healthChecks provides basic information about active Insights health checks in a cluster.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.HealthCheck" + }, + "x-kubernetes-list-map-keys": [ + "advisorURI", + "totalRisk", + "description" + ], + "x-kubernetes-list-type": "map" + }, + "uri": { + "description": "uri is optional field that provides the URL link from which the report was downloaded. The link must be a valid HTTPS URL and the maximum length is 2048 characters.", + "type": "string" + } + } + }, + "com.github.openshift.api.insights.v1alpha2.ObjectReference": { + "description": "ObjectReference contains enough information to let you inspect or modify the referred object.", + "type": "object", + "required": [ + "group", + "resource", + "name", + "namespace" + ], + "properties": { + "group": { + "description": "group is required field that specifies the API Group of the Resource. Enter empty string for the core group. This value is empty or it should follow the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start with an alphabetic character and end with an alphanumeric character. Example: \"\", \"apps\", \"build.openshift.io\", etc.", + "type": "string", + "default": "" + }, + "name": { + "description": "name is required field that specifies the referent that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start with an alphabetic character and end with an alphanumeric character..", + "type": "string", + "default": "" + }, + "namespace": { + "description": "namespace if required field of the referent that follows the DNS1123 labels format. It must be at most 63 characters in length, and must must consist of only lowercase alphanumeric characters and hyphens, and must start with an alphabetic character and end with an alphanumeric character.", + "type": "string", + "default": "" + }, + "resource": { + "description": "resource is required field of the type that is being referenced and follows the DNS1035 format. It is normally the plural form of the resource kind in lowercase. It must be at most 63 characters in length, and must must consist of only lowercase alphanumeric characters and hyphens, and must start with an alphabetic character and end with an alphanumeric character. Example: \"deployments\", \"deploymentconfigs\", \"pods\", etc.", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.insights.v1alpha2.PersistentVolumeClaimReference": { + "description": "persistentVolumeClaimReference is a reference to a PersistentVolumeClaim.", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "description": "name is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.insights.v1alpha2.PersistentVolumeConfig": { + "description": "persistentVolumeConfig provides configuration options for PersistentVolume storage.", + "type": "object", + "required": [ + "claim" + ], + "properties": { + "claim": { + "description": "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.PersistentVolumeClaimReference" + }, + "mountPath": { + "description": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", + "type": "string" + } + } + }, + "com.github.openshift.api.insights.v1alpha2.Storage": { + "description": "storage provides persistent storage configuration options for gathering jobs. If the type is set to PersistentVolume, then the PersistentVolume must be defined. If the type is set to Ephemeral, then the PersistentVolume must not be defined.", + "type": "object", + "required": [ + "type" + ], + "properties": { + "persistentVolume": { + "description": "persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. The PersistentVolume must be created in the openshift-insights namespace.", + "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha2.PersistentVolumeConfig" + }, + "type": { + "description": "type is a required field that specifies the type of storage that will be used to store the Insights data archive. Valid values are \"PersistentVolume\" and \"Ephemeral\". When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the PersistentVolume field.", + "type": "string", + "default": "" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "type", + "fields-to-discriminateBy": { + "persistentVolume": "PersistentVolume" + } + } + ] + }, "com.github.openshift.api.kubecontrolplane.v1.AggregatorConfig": { "description": "AggregatorConfig holds information required to make the aggregator function.", "type": "object", @@ -18960,7 +19939,7 @@ ], "properties": { "accessTokenInactivityTimeoutSeconds": { - "description": "accessTokenInactivityTimeoutSeconds defined the default token inactivity timeout for tokens granted by any client. Setting it to nil means the feature is completely disabled (default) The default setting can be overriden on OAuthClient basis. The value represents the maximum amount of time that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. The user will need to acquire a new token to regain access once a token times out. Valid values are: - 0: Tokens never time out - X: Tokens time out if there is no activity for X seconds The current minimum allowed value for X is 300 (5 minutes)", + "description": "accessTokenInactivityTimeoutSeconds defined the default token inactivity timeout for tokens granted by any client. Setting it to nil means the feature is completely disabled (default) The default setting can be overridden on OAuthClient basis. The value represents the maximum amount of time that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. The user will need to acquire a new token to regain access once a token times out. Valid values are: - 0: Tokens never time out - X: Tokens time out if there is no activity for X seconds The current minimum allowed value for X is 300 (5 minutes)", "type": "integer", "format": "int32" }, @@ -19579,7 +20558,8 @@ "properties": { "machineType": { "description": "machineType determines the type of Machines that should be managed by the ControlPlaneMachineSet. Currently, the only valid value is machines_v1beta1_machine_openshift_io.", - "type": "string" + "type": "string", + "default": "" }, "machines_v1beta1_machine_openshift_io": { "description": "OpenShiftMachineV1Beta1Machine defines the template for creating Machines from the v1beta1.machine.openshift.io API group.", @@ -20096,7 +21076,8 @@ "properties": { "adapterType": { "description": "adapterType is the adapter type of the disk address. If the deviceType is \"Disk\", the valid adapterType can be \"SCSI\", \"IDE\", \"PCI\", \"SATA\" or \"SPAPR\". If the deviceType is \"CDRom\", the valid adapterType can be \"IDE\" or \"SATA\".", - "type": "string" + "type": "string", + "default": "" }, "deviceIndex": { "description": "deviceIndex is the index of the disk address. The valid values are non-negative integers, with the default value 0. For a Machine VM, the deviceIndex for the disks with the same deviceType.adapterType combination should start from 0 and increase consecutively afterwards. Note that for each Machine VM, the Disk.SCSI.0 and CDRom.IDE.0 are reserved to be used by the VM's system. So for dataDisks of Disk.SCSI and CDRom.IDE, the deviceIndex should start from 1.", @@ -20146,7 +21127,7 @@ "$ref": "#/definitions/com.github.openshift.api.machine.v1.ControlPlaneMachineSetTemplateObjectMeta" }, "spec": { - "description": "spec contains the desired configuration of the Control Plane Machines. The ProviderSpec within contains platform specific details for creating the Control Plane Machines. The ProviderSe should be complete apart from the platform specific failure domain field. This will be overriden when the Machines are created based on the FailureDomains field.", + "description": "spec contains the desired configuration of the Control Plane Machines. The ProviderSpec within contains platform specific details for creating the Control Plane Machines. The ProviderSe should be complete apart from the platform specific failure domain field. This will be overridden when the Machines are created based on the FailureDomains field.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.MachineSpec" } @@ -21661,7 +22642,8 @@ "lun": { "description": "lun Specifies the logical unit number of the data disk. This value is used to identify data disks within the VM and therefore must be unique for each data disk attached to a VM. This value is also needed for referencing the data disks devices within userdata to perform disk initialization through Ignition (e.g. partition/format/mount). The value must be between 0 and 63.", "type": "integer", - "format": "int32" + "format": "int32", + "default": 0 }, "managedDisk": { "description": "managedDisk specifies the Managed Disk parameters for the data disk. Empty value means no opinion and the platform chooses a default, which is subject to change over time. Currently the default is a ManagedDisk with with storageAccountType: \"Premium_LRS\" and diskEncryptionSet.id: \"Default\".", @@ -21718,7 +22700,7 @@ "type": "object", "properties": { "deleteOnTermination": { - "description": "Indicates whether the EBS volume is deleted on machine termination.", + "description": "Indicates whether the EBS volume is deleted on machine termination.\n\nDeprecated: setting this field has no effect.", "type": "boolean" }, "encrypted": { @@ -22389,7 +23371,7 @@ ], "properties": { "maxUnhealthy": { - "description": "Any farther remediation is only allowed if at most \"MaxUnhealthy\" machines selected by \"selector\" are not healthy. Expects either a postive integer value or a percentage value. Percentage values must be positive whole numbers and are capped at 100%. Both 0 and 0% are valid and will block all remediation.", + "description": "Any farther remediation is only allowed if at most \"MaxUnhealthy\" machines selected by \"selector\" are not healthy. Expects either a postive integer value or a percentage value. Percentage values must be positive whole numbers and are capped at 100%. Both 0 and 0% are valid and will block all remediation. Defaults to 100% if not set.", "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString" }, "nodeStartupTimeout": { @@ -22418,10 +23400,6 @@ "com.github.openshift.api.machine.v1beta1.MachineHealthCheckStatus": { "description": "MachineHealthCheckStatus defines the observed state of MachineHealthCheck", "type": "object", - "required": [ - "expectedMachines", - "currentHealthy" - ], "properties": { "conditions": { "description": "conditions defines the current state of the MachineHealthCheck", @@ -22579,9 +23557,6 @@ "com.github.openshift.api.machine.v1beta1.MachineSetStatus": { "description": "MachineSetStatus defines the observed state of MachineSet", "type": "object", - "required": [ - "replicas" - ], "properties": { "authoritativeAPI": { "description": "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.", @@ -23011,7 +23986,8 @@ }, "securityType": { "description": "securityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UEFISettings. The default behavior is: UEFISettings will not be enabled unless this property is set.", - "type": "string" + "type": "string", + "default": "" }, "trustedLaunch": { "description": "trustedLaunch specifies the security configuration of the virtual machine. For more information regarding TrustedLaunch for VMs, please refer to: https://learn.microsoft.com/azure/virtual-machines/trusted-launch", @@ -23320,95 +24296,6 @@ } } }, - "com.github.openshift.api.machineconfiguration.v1alpha1.BuildInputs": { - "description": "BuildInputs holds all of the information needed to trigger a build", - "type": "object", - "required": [ - "baseImagePullSecret", - "imageBuilder", - "renderedImagePushSecret", - "renderedImagePushspec" - ], - "properties": { - "baseImagePullSecret": { - "description": "baseImagePullSecret is the secret used to pull the base image. must live in the openshift-machine-config-operator namespace", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.ImageSecretObjectReference" - }, - "baseOSExtensionsImagePullspec": { - "description": "baseOSExtensionsImagePullspec is the base Extensions image used in the build process the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", - "type": "string" - }, - "baseOSImagePullspec": { - "description": "baseOSImagePullspec is the base OSImage we use to build our custom image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pullspec is: host[:port][/namespace]/name@sha256:", - "type": "string" - }, - "containerFile": { - "description": "containerFile describes the custom data the user has specified to build into the image. this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSContainerfile" - }, - "x-kubernetes-list-map-keys": [ - "containerfileArch" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "containerfileArch", - "x-kubernetes-patch-strategy": "merge" - }, - "imageBuilder": { - "description": "machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig", - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSImageBuilder" - }, - "releaseVersion": { - "description": "releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. This is used as a label in the dockerfile that builds the OS image.", - "type": "string" - }, - "renderedImagePushSecret": { - "description": "renderedImagePushSecret is the secret used to connect to a user registry. the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them will only need to pull the image in order to use it.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.ImageSecretObjectReference" - }, - "renderedImagePushspec": { - "description": "renderedImagePushspec describes the location of the final image. the MachineOSConfig object will use the in cluster image registry configuration. if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. The format of the image pushspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.BuildOutputs": { - "description": "BuildOutputs holds all information needed to handle booting the image after a build", - "type": "object", - "properties": { - "currentImagePullSecret": { - "description": "currentImagePullSecret is the secret used to pull the final produced image. must live in the openshift-machine-config-operator namespace the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, that only gives someone to pull images from the image repository. It's basically the principle of least permissions. this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.ImageSecretObjectReference" - } - }, - "x-kubernetes-unions": [ - { - "fields-to-discriminateBy": { - "currentImagePullSecret": "CurrentImagePullSecret" - } - } - ] - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.ImageSecretObjectReference": { - "description": "Refers to the name of an image registry push/pull secret needed in the build process.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "name is the name of the secret used to push or pull this MachineOSConfig object. this secret must be in the openshift-machine-config-operator namespace.", - "type": "string", - "default": "" - } - } - }, "com.github.openshift.api.machineconfiguration.v1alpha1.MCOObjectReference": { "description": "MCOObjectReference holds information about an object the MCO either owns or modifies in some way", "type": "object", @@ -23617,381 +24504,6 @@ } } }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigPoolReference": { - "description": "Refers to the name of a MachineConfigPool (e.g., \"worker\", \"infra\", etc.): the MachineOSBuilder pod validates that the user has provided a valid pool", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "name of the MachineConfigPool object.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuild": { - "description": "MachineOSBuild describes a build process managed and deployed by the MCO Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "description": "spec describes the configuration of the machine os build", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuildSpec" - }, - "status": { - "description": "status describes the lst observed state of this machine os build", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuildStatus" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuildList": { - "description": "MachineOSBuildList describes all of the Builds on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuild" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuildSpec": { - "description": "MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object.", - "type": "object", - "required": [ - "configGeneration", - "desiredConfig", - "machineOSConfig", - "version", - "renderedImagePushspec" - ], - "properties": { - "configGeneration": { - "description": "configGeneration tracks which version of MachineOSConfig this build is based off of", - "type": "integer", - "format": "int64", - "default": 0 - }, - "desiredConfig": { - "description": "desiredConfig is the desired config we want to build an image for.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.RenderedMachineConfigReference" - }, - "machineOSConfig": { - "description": "machineOSConfig is the config object which the build is based off of", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigReference" - }, - "renderedImagePushspec": { - "description": "renderedImagePushspec is set from the MachineOSConfig The format of the image pullspec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:", - "type": "string", - "default": "" - }, - "version": { - "description": "version tracks the newest MachineOSBuild for each MachineOSConfig", - "type": "integer", - "format": "int64", - "default": 0 - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuildStatus": { - "description": "MachineOSBuildStatus describes the state of a build and other helpful information.", - "type": "object", - "required": [ - "buildStart" - ], - "properties": { - "buildEnd": { - "description": "buildEnd describes when the build ended.", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" - }, - "buildStart": { - "description": "buildStart describes when the build started.", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" - }, - "builderReference": { - "description": "ImageBuilderType describes the image builder set in the MachineOSConfig", - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuilderReference" - }, - "conditions": { - "description": "conditions are state related conditions for the build. Valid types are: Prepared, Building, Failed, Interrupted, and Succeeded once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "finalImagePullspec": { - "description": "finalImagePushSpec describes the fully qualified pushspec produced by this build that the final image can be. Must be in sha format.", - "type": "string" - }, - "relatedObjects": { - "description": "relatedObjects is a list of objects that are related to the build process.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.ObjectReference" - } - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSBuilderReference": { - "description": "MachineOSBuilderReference describes which ImageBuilder backend to use for this build/", - "type": "object", - "required": [ - "imageBuilderType" - ], - "properties": { - "buildPod": { - "description": "relatedObjects is a list of objects that are related to the build process.", - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.ObjectReference" - }, - "imageBuilderType": { - "description": "imageBuilderType describes the image builder set in the MachineOSConfig", - "type": "string", - "default": "" - } - }, - "x-kubernetes-unions": [ - { - "discriminator": "imageBuilderType", - "fields-to-discriminateBy": { - "buildPod": "PodImageBuilder" - } - } - ] - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfig": { - "description": "MachineOSConfig describes the configuration for a build process managed by the MCO Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "description": "spec describes the configuration of the machineosconfig", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigSpec" - }, - "status": { - "description": "status describes the status of the machineosconfig", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigStatus" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigList": { - "description": "MachineOSConfigList describes all configurations for image builds on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfig" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigReference": { - "description": "MachineOSConfigReference refers to the MachineOSConfig this build is based off of", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "name of the MachineOSConfig", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigSpec": { - "description": "MachineOSConfigSpec describes user-configurable options as well as information about a build process.", - "type": "object", - "required": [ - "machineConfigPool", - "buildInputs" - ], - "properties": { - "buildInputs": { - "description": "buildInputs is where user input options for the build live", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.BuildInputs" - }, - "buildOutputs": { - "description": "buildOutputs is where user input options for the build live", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.BuildOutputs" - }, - "machineConfigPool": { - "description": "machineConfigPool is the pool which the build is for", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigPoolReference" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSConfigStatus": { - "description": "MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig", - "type": "object", - "required": [ - "observedGeneration" - ], - "properties": { - "conditions": { - "description": "conditions are state related conditions for the config.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "currentImagePullspec": { - "description": "currentImagePullspec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This must include sha256.", - "type": "string" - }, - "observedGeneration": { - "description": "observedGeneration represents the generation observed by the controller. this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with.", - "type": "integer", - "format": "int64" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSContainerfile": { - "description": "MachineOSContainerfile contains all custom content the user wants built into the image", - "type": "object", - "required": [ - "content" - ], - "properties": { - "containerfileArch": { - "description": "containerfileArch describes the architecture this containerfile is to be built for this arch is optional. If the user does not specify an architecture, it is assumed that the content can be applied to all architectures, or in a single arch cluster: the only architecture.", - "type": "string", - "default": "" - }, - "content": { - "description": "content is the custom content to be built", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineOSImageBuilder": { - "type": "object", - "required": [ - "imageBuilderType" - ], - "properties": { - "imageBuilderType": { - "description": "imageBuilderType specifies the backend to be used to build the image. Valid options are: PodImageBuilder", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.ObjectReference": { - "description": "ObjectReference contains enough information to let you inspect or modify the referred object.", - "type": "object", - "required": [ - "group", - "resource", - "name" - ], - "properties": { - "group": { - "description": "group of the referent.", - "type": "string", - "default": "" - }, - "name": { - "description": "name of the referent.", - "type": "string", - "default": "" - }, - "namespace": { - "description": "namespace of the referent.", - "type": "string" - }, - "resource": { - "description": "resource of the referent.", - "type": "string", - "default": "" - } - } - }, "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageRef": { "type": "object", "required": [ @@ -24105,20 +24617,6 @@ } } }, - "com.github.openshift.api.machineconfiguration.v1alpha1.RenderedMachineConfigReference": { - "description": "Refers to the name of a rendered MachineConfig (e.g., \"rendered-worker-ec40d2965ff81bce7cd7a7e82a680739\", etc.): the build targets this MachineConfig, this is often used to tell us whether we need an update.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "name is the name of the rendered MachineConfig object.", - "type": "string", - "default": "" - } - } - }, "com.github.openshift.api.monitoring.v1.AlertRelabelConfig": { "description": "AlertRelabelConfig defines a set of relabel configs for alerts.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", @@ -26136,7 +26634,6 @@ "description": "Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", "required": [ - "kubeClientConfig", "servingInfo", "leaderElection", "controllers", @@ -26197,10 +26694,6 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, - "kubeClientConfig": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.KubeClientConfig" - }, "leaderElection": { "description": "leaderElection defines the configuration for electing a controller instance to make changes to the cluster. If unspecified, the ControllerTTL value is checked to determine whether the legacy direct etcd election code will be used.", "default": {}, @@ -26742,9 +27235,6 @@ }, "com.github.openshift.api.operator.v1.AuthenticationStatus": { "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -26976,9 +27466,6 @@ "com.github.openshift.api.operator.v1.CSISnapshotControllerStatus": { "description": "CSISnapshotControllerStatus defines the observed status of the CSISnapshotController operator.", "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -27195,9 +27682,6 @@ "com.github.openshift.api.operator.v1.CloudCredentialStatus": { "description": "CloudCredentialStatus defines the observed status of the cloud-credential-operator.", "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -27351,9 +27835,6 @@ "com.github.openshift.api.operator.v1.ClusterCSIDriverStatus": { "description": "ClusterCSIDriverStatus is the observed status of CSI driver operator", "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -27536,9 +28017,6 @@ }, "com.github.openshift.api.operator.v1.ConfigStatus": { "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -27819,9 +28297,6 @@ "com.github.openshift.api.operator.v1.ConsoleStatus": { "description": "ConsoleStatus defines the observed status of the Console.", "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -28411,10 +28886,6 @@ }, "com.github.openshift.api.operator.v1.EtcdStatus": { "type": "object", - "required": [ - "readyReplicas", - "controlPlaneHardwareSpeed" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -28934,7 +29405,7 @@ "type": "object", "properties": { "internalMasqueradeSubnet": { - "description": "internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /29). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 169.254.169.0/29 The value must be in proper IPV4 CIDR format", + "description": "internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /29). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 169.254.0.0/17 The value must be in proper IPV4 CIDR format", "type": "string" } } @@ -28943,11 +29414,11 @@ "type": "object", "properties": { "internalJoinSubnet": { - "description": "internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. The current default value is 100.64.0.0/16 The subnet must be large enough to accomadate one IP per node in your cluster The value must be in proper IPV4 CIDR format", + "description": "internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The current default value is 100.64.0.0/16 The subnet must be large enough to accommodate one IP per node in your cluster The value must be in proper IPV4 CIDR format", "type": "string" }, "internalTransitSwitchSubnet": { - "description": "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. The value cannot be changed after installation. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 100.88.0.0/16 The subnet must be large enough to accomadate one IP per node in your cluster The value must be in proper IPV4 CIDR format", + "description": "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 100.88.0.0/16 The subnet must be large enough to accommodate one IP per node in your cluster The value must be in proper IPV4 CIDR format", "type": "string" } } @@ -28957,7 +29428,7 @@ "type": "object", "properties": { "internalMasqueradeSubnet": { - "description": "internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /125). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is fd69::/125 Note that IPV6 dual addresses are not permitted", + "description": "internalMasqueradeSubnet contains the masquerade addresses in IPV6 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /125). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is fd69::/112 Note that IPV6 dual addresses are not permitted", "type": "string" } } @@ -28966,11 +29437,11 @@ "type": "object", "properties": { "internalJoinSubnet": { - "description": "internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. The subnet must be large enough to accomadate one IP per node in your cluster The current default value is fd98::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", + "description": "internalJoinSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The subnet must be large enough to accommodate one IP per node in your cluster The current default value is fd98::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", "type": "string" }, "internalTransitSwitchSubnet": { - "description": "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. The value cannot be changed after installation. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The subnet must be large enough to accomadate one IP per node in your cluster The current default subnet is fd97::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", + "description": "internalTransitSwitchSubnet is a v4 subnet in IPV4 CIDR format used internally by OVN-Kubernetes for the distributed transit switch in the OVN Interconnect architecture that connects the cluster routers on each node together to enable east west traffic. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. When ommitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The subnet must be large enough to accommodate one IP per node in your cluster The current default subnet is fd97::/64 The value must be in proper IPV6 CIDR format Note that IPV6 dual addresses are not permitted", "type": "string" } } @@ -29030,7 +29501,8 @@ "properties": { "matchType": { "description": "matchType specifies the type of match to be performed on the cookie name. Allowed values are \"Exact\" for an exact string match and \"Prefix\" for a string prefix match. If \"Exact\" is specified, a name must be specified in the name field. If \"Prefix\" is provided, a prefix must be specified in the namePrefix field. For example, specifying matchType \"Prefix\" and namePrefix \"foo\" will capture a cookie named \"foo\" or \"foobar\" but not one named \"bar\". The first matching cookie is captured.", - "type": "string" + "type": "string", + "default": "" }, "maxLength": { "description": "maxLength specifies a maximum length of the string that will be logged, which includes the cookie name, cookie value, and one-character delimiter. If the log entry exceeds this length, the value will be truncated in the log message. Note that the ingress controller may impose a separate bound on the total length of HTTP headers in a request.", @@ -29068,7 +29540,8 @@ "properties": { "matchType": { "description": "matchType specifies the type of match to be performed on the cookie name. Allowed values are \"Exact\" for an exact string match and \"Prefix\" for a string prefix match. If \"Exact\" is specified, a name must be specified in the name field. If \"Prefix\" is provided, a prefix must be specified in the namePrefix field. For example, specifying matchType \"Prefix\" and namePrefix \"foo\" will capture a cookie named \"foo\" or \"foobar\" but not one named \"bar\". The first matching cookie is captured.", - "type": "string" + "type": "string", + "default": "" }, "name": { "description": "name specifies a cookie name. Its value must be a valid HTTP cookie name as defined in RFC 6265 section 4.1.", @@ -29395,11 +29868,6 @@ "com.github.openshift.api.operator.v1.IngressControllerStatus": { "description": "IngressControllerStatus defines the observed status of the IngressController.", "type": "object", - "required": [ - "availableReplicas", - "selector", - "domain" - ], "properties": { "availableReplicas": { "description": "availableReplicas is number of observed available replicas according to the ingress controller deployment.", @@ -29608,9 +30076,6 @@ }, "com.github.openshift.api.operator.v1.InsightsOperatorStatus": { "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -29690,6 +30155,21 @@ } } }, + "com.github.openshift.api.operator.v1.IrreconcilableValidationOverrides": { + "description": "IrreconcilableValidationOverrides holds the irreconcilable validations overrides to be applied on each rendered MachineConfig generation.", + "type": "object", + "properties": { + "storage": { + "description": "storage can be used to allow making irreconcilable changes to the selected sections under the `spec.config.storage` field of MachineConfig CRs It must have at least one item, may not exceed 3 items and must not contain duplicates. Allowed element values are \"Disks\", \"FileSystems\", \"Raid\" and omitted. When contains \"Disks\" changes to the `spec.config.storage.disks` section of MachineConfig CRs are allowed. When contains \"FileSystems\" changes to the `spec.config.storage.filesystems` section of MachineConfig CRs are allowed. When contains \"Raid\" changes to the `spec.config.storage.raid` section of MachineConfig CRs are allowed. When omitted changes to the `spec.config.storage` section are forbidden.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + } + } + }, "com.github.openshift.api.operator.v1.KubeAPIServer": { "description": "KubeAPIServer provides information to configure an operator to manage kube-apiserver.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", @@ -29801,9 +30281,6 @@ }, "com.github.openshift.api.operator.v1.KubeAPIServerStatus": { "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -29985,199 +30462,193 @@ "unsupportedConfigOverrides": { "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" - }, - "useMoreSecureServiceCA": { - "description": "useMoreSecureServiceCA indicates that the service-ca.crt provided in SA token volumes should include only enough certificates to validate service serving certificates. Once set to true, it cannot be set to false. Even if someone finds a way to set it back to false, the service-ca.crt files that previously existed will only have the more secure content.", - "type": "boolean", - "default": false - } - } - }, - "com.github.openshift.api.operator.v1.KubeControllerManagerStatus": { - "type": "object", - "required": [ - "readyReplicas" - ], - "properties": { - "conditions": { - "description": "conditions is a list of conditions and their status", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.OperatorCondition" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "generations": { - "description": "generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.GenerationStatus" - }, - "x-kubernetes-list-map-keys": [ - "group", - "resource", - "namespace", - "name" - ], - "x-kubernetes-list-type": "map" - }, - "latestAvailableRevision": { - "description": "latestAvailableRevision is the deploymentID of the most recent deployment", - "type": "integer", - "format": "int32" - }, - "latestAvailableRevisionReason": { - "description": "latestAvailableRevisionReason describe the detailed reason for the most recent deployment", - "type": "string" - }, - "nodeStatuses": { - "description": "nodeStatuses track the deployment values and errors across individual nodes", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.NodeStatus" - }, - "x-kubernetes-list-map-keys": [ - "nodeName" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "observedGeneration is the last generation change you've dealt with", - "type": "integer", - "format": "int64" - }, - "readyReplicas": { - "description": "readyReplicas indicates how many replicas are ready and at the desired state", - "type": "integer", - "format": "int32", - "default": 0 - }, - "version": { - "description": "version is the level this availability applies to", - "type": "string" - } - } - }, - "com.github.openshift.api.operator.v1.KubeScheduler": { - "description": "KubeScheduler provides information to configure an operator to manage scheduler.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "description": "spec is the specification of the desired behavior of the Kubernetes Scheduler", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.KubeSchedulerSpec" - }, - "status": { - "description": "status is the most recently observed status of the Kubernetes Scheduler", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.KubeSchedulerStatus" - } - } - }, - "com.github.openshift.api.operator.v1.KubeSchedulerList": { - "description": "KubeSchedulerList is a collection of items\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items contains the items", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.KubeScheduler" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - } - }, - "com.github.openshift.api.operator.v1.KubeSchedulerSpec": { - "type": "object", - "required": [ - "managementState", - "forceRedeploymentReason" - ], - "properties": { - "failedRevisionLimit": { - "description": "failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api -1 = unlimited, 0 or unset = 5 (default)", - "type": "integer", - "format": "int32" - }, - "forceRedeploymentReason": { - "description": "forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work this time instead of failing again on the same config.", - "type": "string", - "default": "" - }, - "logLevel": { - "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", - "type": "string" - }, - "managementState": { - "description": "managementState indicates whether and how the operator should manage the component", - "type": "string", - "default": "" - }, - "observedConfig": { - "description": "observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because it is an input to the level for the operator", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" - }, - "operatorLogLevel": { - "description": "operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", - "type": "string" - }, - "succeededRevisionLimit": { - "description": "succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api -1 = unlimited, 0 or unset = 5 (default)", - "type": "integer", - "format": "int32" - }, - "unsupportedConfigOverrides": { - "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" + }, + "useMoreSecureServiceCA": { + "description": "useMoreSecureServiceCA indicates that the service-ca.crt provided in SA token volumes should include only enough certificates to validate service serving certificates. Once set to true, it cannot be set to false. Even if someone finds a way to set it back to false, the service-ca.crt files that previously existed will only have the more secure content.", + "type": "boolean", + "default": false } } }, - "com.github.openshift.api.operator.v1.KubeSchedulerStatus": { + "com.github.openshift.api.operator.v1.KubeControllerManagerStatus": { + "type": "object", + "properties": { + "conditions": { + "description": "conditions is a list of conditions and their status", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.OperatorCondition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "generations": { + "description": "generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.GenerationStatus" + }, + "x-kubernetes-list-map-keys": [ + "group", + "resource", + "namespace", + "name" + ], + "x-kubernetes-list-type": "map" + }, + "latestAvailableRevision": { + "description": "latestAvailableRevision is the deploymentID of the most recent deployment", + "type": "integer", + "format": "int32" + }, + "latestAvailableRevisionReason": { + "description": "latestAvailableRevisionReason describe the detailed reason for the most recent deployment", + "type": "string" + }, + "nodeStatuses": { + "description": "nodeStatuses track the deployment values and errors across individual nodes", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.NodeStatus" + }, + "x-kubernetes-list-map-keys": [ + "nodeName" + ], + "x-kubernetes-list-type": "map" + }, + "observedGeneration": { + "description": "observedGeneration is the last generation change you've dealt with", + "type": "integer", + "format": "int64" + }, + "readyReplicas": { + "description": "readyReplicas indicates how many replicas are ready and at the desired state", + "type": "integer", + "format": "int32", + "default": 0 + }, + "version": { + "description": "version is the level this availability applies to", + "type": "string" + } + } + }, + "com.github.openshift.api.operator.v1.KubeScheduler": { + "description": "KubeScheduler provides information to configure an operator to manage scheduler.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", "required": [ - "readyReplicas" + "metadata", + "spec" ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "spec is the specification of the desired behavior of the Kubernetes Scheduler", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.KubeSchedulerSpec" + }, + "status": { + "description": "status is the most recently observed status of the Kubernetes Scheduler", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.KubeSchedulerStatus" + } + } + }, + "com.github.openshift.api.operator.v1.KubeSchedulerList": { + "description": "KubeSchedulerList is a collection of items\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "metadata", + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "items contains the items", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.KubeScheduler" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.operator.v1.KubeSchedulerSpec": { + "type": "object", + "required": [ + "managementState", + "forceRedeploymentReason" + ], + "properties": { + "failedRevisionLimit": { + "description": "failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api -1 = unlimited, 0 or unset = 5 (default)", + "type": "integer", + "format": "int32" + }, + "forceRedeploymentReason": { + "description": "forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work this time instead of failing again on the same config.", + "type": "string", + "default": "" + }, + "logLevel": { + "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", + "type": "string" + }, + "managementState": { + "description": "managementState indicates whether and how the operator should manage the component", + "type": "string", + "default": "" + }, + "observedConfig": { + "description": "observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because it is an input to the level for the operator", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" + }, + "operatorLogLevel": { + "description": "operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", + "type": "string" + }, + "succeededRevisionLimit": { + "description": "succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api -1 = unlimited, 0 or unset = 5 (default)", + "type": "integer", + "format": "int32" + }, + "unsupportedConfigOverrides": { + "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" + } + } + }, + "com.github.openshift.api.operator.v1.KubeSchedulerStatus": { + "type": "object", "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -30337,9 +30808,6 @@ }, "com.github.openshift.api.operator.v1.KubeStorageVersionMigratorStatus": { "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -30599,6 +31067,11 @@ "type": "string", "default": "" }, + "irreconcilableValidationOverrides": { + "description": "irreconcilableValidationOverrides is an optional field that can used to make changes to a MachineConfig that cannot be applied to existing nodes. When specified, the fields configured with validation overrides will no longer reject changes to those respective fields due to them not being able to be applied to existing nodes. Only newly provisioned nodes will have these configurations applied. Existing nodes will report observed configuration differences in their MachineConfigNode status.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.IrreconcilableValidationOverrides" + }, "logLevel": { "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", "type": "string" @@ -30801,9 +31274,6 @@ }, "com.github.openshift.api.operator.v1.MyOperatorResourceStatus": { "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -31050,9 +31520,6 @@ "com.github.openshift.api.operator.v1.NetworkStatus": { "description": "NetworkStatus is detailed operator status, which is distilled up to the Network clusteroperator object.", "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -31565,9 +32032,6 @@ }, "com.github.openshift.api.operator.v1.OLMStatus": { "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -31669,11 +32133,11 @@ "type": "string" }, "v4InternalSubnet": { - "description": "v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. Default is 100.64.0.0/16", + "description": "v4InternalSubnet is a v4 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. Default is 100.64.0.0/16", "type": "string" }, "v6InternalSubnet": { - "description": "v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. The value cannot be changed after installation. Default is fd98::/64", + "description": "v6InternalSubnet is a v6 subnet used internally by ovn-kubernetes in case the default one is being already used by something else. It must not overlap with any other subnet being used by OpenShift or by the node network. The size of the subnet must be larger than the number of nodes. Default is fd98::/64", "type": "string" } } @@ -31771,157 +32235,151 @@ } } }, - "com.github.openshift.api.operator.v1.OpenShiftAPIServerStatus": { - "type": "object", - "required": [ - "readyReplicas" - ], - "properties": { - "conditions": { - "description": "conditions is a list of conditions and their status", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.OperatorCondition" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "generations": { - "description": "generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.GenerationStatus" - }, - "x-kubernetes-list-map-keys": [ - "group", - "resource", - "namespace", - "name" - ], - "x-kubernetes-list-type": "map" - }, - "latestAvailableRevision": { - "description": "latestAvailableRevision is the deploymentID of the most recent deployment", - "type": "integer", - "format": "int32" - }, - "observedGeneration": { - "description": "observedGeneration is the last generation change you've dealt with", - "type": "integer", - "format": "int64" - }, - "readyReplicas": { - "description": "readyReplicas indicates how many replicas are ready and at the desired state", - "type": "integer", - "format": "int32", - "default": 0 - }, - "version": { - "description": "version is the level this availability applies to", - "type": "string" - } - } - }, - "com.github.openshift.api.operator.v1.OpenShiftControllerManager": { - "description": "OpenShiftControllerManager provides information to configure an operator to manage openshift-controller-manager.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.OpenShiftControllerManagerSpec" - }, - "status": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.OpenShiftControllerManagerStatus" - } - } - }, - "com.github.openshift.api.operator.v1.OpenShiftControllerManagerList": { - "description": "OpenShiftControllerManagerList is a collection of items\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items contains the items", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.OpenShiftControllerManager" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - } - }, - "com.github.openshift.api.operator.v1.OpenShiftControllerManagerSpec": { - "type": "object", - "required": [ - "managementState" - ], - "properties": { - "logLevel": { - "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", - "type": "string" - }, - "managementState": { - "description": "managementState indicates whether and how the operator should manage the component", - "type": "string", - "default": "" - }, - "observedConfig": { - "description": "observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because it is an input to the level for the operator", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" - }, - "operatorLogLevel": { - "description": "operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", - "type": "string" - }, - "unsupportedConfigOverrides": { - "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" - } - } - }, - "com.github.openshift.api.operator.v1.OpenShiftControllerManagerStatus": { + "com.github.openshift.api.operator.v1.OpenShiftAPIServerStatus": { + "type": "object", + "properties": { + "conditions": { + "description": "conditions is a list of conditions and their status", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.OperatorCondition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "generations": { + "description": "generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.GenerationStatus" + }, + "x-kubernetes-list-map-keys": [ + "group", + "resource", + "namespace", + "name" + ], + "x-kubernetes-list-type": "map" + }, + "latestAvailableRevision": { + "description": "latestAvailableRevision is the deploymentID of the most recent deployment", + "type": "integer", + "format": "int32" + }, + "observedGeneration": { + "description": "observedGeneration is the last generation change you've dealt with", + "type": "integer", + "format": "int64" + }, + "readyReplicas": { + "description": "readyReplicas indicates how many replicas are ready and at the desired state", + "type": "integer", + "format": "int32", + "default": 0 + }, + "version": { + "description": "version is the level this availability applies to", + "type": "string" + } + } + }, + "com.github.openshift.api.operator.v1.OpenShiftControllerManager": { + "description": "OpenShiftControllerManager provides information to configure an operator to manage openshift-controller-manager.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "metadata", + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.OpenShiftControllerManagerSpec" + }, + "status": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.OpenShiftControllerManagerStatus" + } + } + }, + "com.github.openshift.api.operator.v1.OpenShiftControllerManagerList": { + "description": "OpenShiftControllerManagerList is a collection of items\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", "required": [ - "readyReplicas" + "metadata", + "items" ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "items contains the items", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.OpenShiftControllerManager" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.operator.v1.OpenShiftControllerManagerSpec": { + "type": "object", + "required": [ + "managementState" + ], + "properties": { + "logLevel": { + "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", + "type": "string" + }, + "managementState": { + "description": "managementState indicates whether and how the operator should manage the component", + "type": "string", + "default": "" + }, + "observedConfig": { + "description": "observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because it is an input to the level for the operator", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" + }, + "operatorLogLevel": { + "description": "operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", + "type": "string" + }, + "unsupportedConfigOverrides": { + "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" + } + } + }, + "com.github.openshift.api.operator.v1.OpenShiftControllerManagerStatus": { + "type": "object", "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -32077,9 +32535,6 @@ }, "com.github.openshift.api.operator.v1.OperatorStatus": { "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -32574,9 +33029,6 @@ }, "com.github.openshift.api.operator.v1.ServiceCAStatus": { "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -32717,157 +33169,151 @@ } } }, - "com.github.openshift.api.operator.v1.ServiceCatalogAPIServerStatus": { - "type": "object", - "required": [ - "readyReplicas" - ], - "properties": { - "conditions": { - "description": "conditions is a list of conditions and their status", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.OperatorCondition" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "generations": { - "description": "generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.GenerationStatus" - }, - "x-kubernetes-list-map-keys": [ - "group", - "resource", - "namespace", - "name" - ], - "x-kubernetes-list-type": "map" - }, - "latestAvailableRevision": { - "description": "latestAvailableRevision is the deploymentID of the most recent deployment", - "type": "integer", - "format": "int32" - }, - "observedGeneration": { - "description": "observedGeneration is the last generation change you've dealt with", - "type": "integer", - "format": "int64" - }, - "readyReplicas": { - "description": "readyReplicas indicates how many replicas are ready and at the desired state", - "type": "integer", - "format": "int32", - "default": 0 - }, - "version": { - "description": "version is the level this availability applies to", - "type": "string" - } - } - }, - "com.github.openshift.api.operator.v1.ServiceCatalogControllerManager": { - "description": "ServiceCatalogControllerManager provides information to configure an operator to manage Service Catalog Controller Manager DEPRECATED: will be removed in 4.6\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerSpec" - }, - "status": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerStatus" - } - } - }, - "com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerList": { - "description": "ServiceCatalogControllerManagerList is a collection of items DEPRECATED: will be removed in 4.6\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items contains the items", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.operator.v1.ServiceCatalogControllerManager" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - } - }, - "com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerSpec": { - "type": "object", - "required": [ - "managementState" - ], - "properties": { - "logLevel": { - "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", - "type": "string" - }, - "managementState": { - "description": "managementState indicates whether and how the operator should manage the component", - "type": "string", - "default": "" - }, - "observedConfig": { - "description": "observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because it is an input to the level for the operator", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" - }, - "operatorLogLevel": { - "description": "operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", - "type": "string" - }, - "unsupportedConfigOverrides": { - "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", - "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" - } - } - }, - "com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerStatus": { + "com.github.openshift.api.operator.v1.ServiceCatalogAPIServerStatus": { + "type": "object", + "properties": { + "conditions": { + "description": "conditions is a list of conditions and their status", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.OperatorCondition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "generations": { + "description": "generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.GenerationStatus" + }, + "x-kubernetes-list-map-keys": [ + "group", + "resource", + "namespace", + "name" + ], + "x-kubernetes-list-type": "map" + }, + "latestAvailableRevision": { + "description": "latestAvailableRevision is the deploymentID of the most recent deployment", + "type": "integer", + "format": "int32" + }, + "observedGeneration": { + "description": "observedGeneration is the last generation change you've dealt with", + "type": "integer", + "format": "int64" + }, + "readyReplicas": { + "description": "readyReplicas indicates how many replicas are ready and at the desired state", + "type": "integer", + "format": "int32", + "default": 0 + }, + "version": { + "description": "version is the level this availability applies to", + "type": "string" + } + } + }, + "com.github.openshift.api.operator.v1.ServiceCatalogControllerManager": { + "description": "ServiceCatalogControllerManager provides information to configure an operator to manage Service Catalog Controller Manager DEPRECATED: will be removed in 4.6\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "metadata", + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerSpec" + }, + "status": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerStatus" + } + } + }, + "com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerList": { + "description": "ServiceCatalogControllerManagerList is a collection of items DEPRECATED: will be removed in 4.6\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", "required": [ - "readyReplicas" + "metadata", + "items" ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "items contains the items", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.ServiceCatalogControllerManager" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerSpec": { + "type": "object", + "required": [ + "managementState" + ], + "properties": { + "logLevel": { + "description": "logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", + "type": "string" + }, + "managementState": { + "description": "managementState indicates whether and how the operator should manage the component", + "type": "string", + "default": "" + }, + "observedConfig": { + "description": "observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because it is an input to the level for the operator", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" + }, + "operatorLogLevel": { + "description": "operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".", + "type": "string" + }, + "unsupportedConfigOverrides": { + "description": "unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" + } + } + }, + "com.github.openshift.api.operator.v1.ServiceCatalogControllerManagerStatus": { + "type": "object", "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -33079,9 +33525,6 @@ "com.github.openshift.api.operator.v1.StaticPodOperatorStatus": { "description": "StaticPodOperatorStatus is status for controllers that manage static pods. There are different needs because individual node status must be tracked.", "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -33261,9 +33704,6 @@ "com.github.openshift.api.operator.v1.StorageStatus": { "description": "StorageStatus defines the observed status of the cluster storage operator.", "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -33973,9 +34413,6 @@ }, "com.github.openshift.api.operator.v1alpha1.OLMStatus": { "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -35551,130 +35988,6 @@ } } }, - "com.github.openshift.api.platform.v1alpha1.ActiveBundleDeployment": { - "description": "ActiveBundleDeployment references a BundleDeployment resource.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "name is the metadata.name of the referenced BundleDeployment object.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.platform.v1alpha1.Package": { - "description": "Package contains fields to configure which OLM package this PlatformOperator will install", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "name contains the desired OLM-based Operator package name that is defined in an existing CatalogSource resource in the cluster.\n\nThis configured package will be managed with the cluster's lifecycle. In the current implementation, it will be retrieving this name from a list of supported operators out of the catalogs included with OpenShift.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.platform.v1alpha1.PlatformOperator": { - "description": "PlatformOperator is the Schema for the PlatformOperators API.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.platform.v1alpha1.PlatformOperatorSpec" - }, - "status": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.platform.v1alpha1.PlatformOperatorStatus" - } - } - }, - "com.github.openshift.api.platform.v1alpha1.PlatformOperatorList": { - "description": "PlatformOperatorList contains a list of PlatformOperators\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.platform.v1alpha1.PlatformOperator" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - } - }, - "com.github.openshift.api.platform.v1alpha1.PlatformOperatorSpec": { - "description": "PlatformOperatorSpec defines the desired state of PlatformOperator.", - "type": "object", - "required": [ - "package" - ], - "properties": { - "package": { - "description": "package contains the desired package and its configuration for this PlatformOperator.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.platform.v1alpha1.Package" - } - } - }, - "com.github.openshift.api.platform.v1alpha1.PlatformOperatorStatus": { - "description": "PlatformOperatorStatus defines the observed state of PlatformOperator", - "type": "object", - "properties": { - "activeBundleDeployment": { - "description": "activeBundleDeployment is the reference to the BundleDeployment resource that's being managed by this PO resource. If this field is not populated in the status then it means the PlatformOperator has either not been installed yet or is failing to install.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.platform.v1alpha1.ActiveBundleDeployment" - }, - "conditions": { - "description": "conditions represent the latest available observations of a platform operator's current state.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - } - } - }, "com.github.openshift.api.project.v1.Project": { "description": "Projects are the unit of isolation and collaboration in OpenShift. A project has one or more members, a quota on the resources that the project may consume, and the security controls on the resources in the project. Within a project, members may have different roles - project administrators can set membership, editors can create and manage the resources, and viewers can see but not access running containers. In a normal cluster project administrators are not able to alter their quotas - that is restricted to cluster administrators.\n\nListing or watching projects will return only projects the user has the reader role on.\n\nAn OpenShift project is an alternative representation of a Kubernetes namespace. Projects are exposed as editable to end users while namespaces are not. Direct creation of a project is typically restricted to administrators, while end users should use the requestproject resource.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", @@ -36725,9 +37038,6 @@ "com.github.openshift.api.security.v1.PodSecurityPolicyReviewStatus": { "description": "PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.", "type": "object", - "required": [ - "allowedServiceAccounts" - ], "properties": { "allowedServiceAccounts": { "description": "allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec.", @@ -37392,9 +37702,6 @@ }, "com.github.openshift.api.servicecertsigner.v1alpha1.ServiceCertSignerOperatorConfigStatus": { "type": "object", - "required": [ - "readyReplicas" - ], "properties": { "conditions": { "description": "conditions is a list of conditions and their status", @@ -39956,6 +40263,77 @@ "default": {}, "$ref": "#/definitions/io.k8s.api.core.v1.ContainerState" }, + "stopSignal": { + "description": "StopSignal reports the effective stop signal for this container\n\nPossible enum values:\n - `\"SIGABRT\"`\n - `\"SIGALRM\"`\n - `\"SIGBUS\"`\n - `\"SIGCHLD\"`\n - `\"SIGCLD\"`\n - `\"SIGCONT\"`\n - `\"SIGFPE\"`\n - `\"SIGHUP\"`\n - `\"SIGILL\"`\n - `\"SIGINT\"`\n - `\"SIGIO\"`\n - `\"SIGIOT\"`\n - `\"SIGKILL\"`\n - `\"SIGPIPE\"`\n - `\"SIGPOLL\"`\n - `\"SIGPROF\"`\n - `\"SIGPWR\"`\n - `\"SIGQUIT\"`\n - `\"SIGRTMAX\"`\n - `\"SIGRTMAX-1\"`\n - `\"SIGRTMAX-10\"`\n - `\"SIGRTMAX-11\"`\n - `\"SIGRTMAX-12\"`\n - `\"SIGRTMAX-13\"`\n - `\"SIGRTMAX-14\"`\n - `\"SIGRTMAX-2\"`\n - `\"SIGRTMAX-3\"`\n - `\"SIGRTMAX-4\"`\n - `\"SIGRTMAX-5\"`\n - `\"SIGRTMAX-6\"`\n - `\"SIGRTMAX-7\"`\n - `\"SIGRTMAX-8\"`\n - `\"SIGRTMAX-9\"`\n - `\"SIGRTMIN\"`\n - `\"SIGRTMIN+1\"`\n - `\"SIGRTMIN+10\"`\n - `\"SIGRTMIN+11\"`\n - `\"SIGRTMIN+12\"`\n - `\"SIGRTMIN+13\"`\n - `\"SIGRTMIN+14\"`\n - `\"SIGRTMIN+15\"`\n - `\"SIGRTMIN+2\"`\n - `\"SIGRTMIN+3\"`\n - `\"SIGRTMIN+4\"`\n - `\"SIGRTMIN+5\"`\n - `\"SIGRTMIN+6\"`\n - `\"SIGRTMIN+7\"`\n - `\"SIGRTMIN+8\"`\n - `\"SIGRTMIN+9\"`\n - `\"SIGSEGV\"`\n - `\"SIGSTKFLT\"`\n - `\"SIGSTOP\"`\n - `\"SIGSYS\"`\n - `\"SIGTERM\"`\n - `\"SIGTRAP\"`\n - `\"SIGTSTP\"`\n - `\"SIGTTIN\"`\n - `\"SIGTTOU\"`\n - `\"SIGURG\"`\n - `\"SIGUSR1\"`\n - `\"SIGUSR2\"`\n - `\"SIGVTALRM\"`\n - `\"SIGWINCH\"`\n - `\"SIGXCPU\"`\n - `\"SIGXFSZ\"`", + "type": "string", + "enum": [ + "SIGABRT", + "SIGALRM", + "SIGBUS", + "SIGCHLD", + "SIGCLD", + "SIGCONT", + "SIGFPE", + "SIGHUP", + "SIGILL", + "SIGINT", + "SIGIO", + "SIGIOT", + "SIGKILL", + "SIGPIPE", + "SIGPOLL", + "SIGPROF", + "SIGPWR", + "SIGQUIT", + "SIGRTMAX", + "SIGRTMAX-1", + "SIGRTMAX-10", + "SIGRTMAX-11", + "SIGRTMAX-12", + "SIGRTMAX-13", + "SIGRTMAX-14", + "SIGRTMAX-2", + "SIGRTMAX-3", + "SIGRTMAX-4", + "SIGRTMAX-5", + "SIGRTMAX-6", + "SIGRTMAX-7", + "SIGRTMAX-8", + "SIGRTMAX-9", + "SIGRTMIN", + "SIGRTMIN+1", + "SIGRTMIN+10", + "SIGRTMIN+11", + "SIGRTMIN+12", + "SIGRTMIN+13", + "SIGRTMIN+14", + "SIGRTMIN+15", + "SIGRTMIN+2", + "SIGRTMIN+3", + "SIGRTMIN+4", + "SIGRTMIN+5", + "SIGRTMIN+6", + "SIGRTMIN+7", + "SIGRTMIN+8", + "SIGRTMIN+9", + "SIGSEGV", + "SIGSTKFLT", + "SIGSTOP", + "SIGSYS", + "SIGTERM", + "SIGTRAP", + "SIGTSTP", + "SIGTTIN", + "SIGTTOU", + "SIGURG", + "SIGUSR1", + "SIGUSR2", + "SIGVTALRM", + "SIGWINCH", + "SIGXCPU", + "SIGXFSZ" + ] + }, "user": { "description": "User represents user identity information initially attached to the first process of the container", "$ref": "#/definitions/io.k8s.api.core.v1.ContainerUser" @@ -40078,7 +40456,7 @@ } }, "io.k8s.api.core.v1.EndpointAddress": { - "description": "EndpointAddress is a tuple that describes single IP address.", + "description": "EndpointAddress is a tuple that describes single IP address. Deprecated: This API is deprecated in v1.33+.", "type": "object", "required": [ "ip" @@ -40105,7 +40483,7 @@ "x-kubernetes-map-type": "atomic" }, "io.k8s.api.core.v1.EndpointPort": { - "description": "EndpointPort is a tuple that describes a single port.", + "description": "EndpointPort is a tuple that describes a single port. Deprecated: This API is deprecated in v1.33+.", "type": "object", "required": [ "port" @@ -40138,7 +40516,7 @@ "x-kubernetes-map-type": "atomic" }, "io.k8s.api.core.v1.EndpointSubset": { - "description": "EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:\n\n\t{\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t}\n\nThe resulting set of endpoints can be viewed as:\n\n\ta: [ 10.10.1.1:8675, 10.10.2.2:8675 ],\n\tb: [ 10.10.1.1:309, 10.10.2.2:309 ]", + "description": "EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:\n\n\t{\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t}\n\nThe resulting set of endpoints can be viewed as:\n\n\ta: [ 10.10.1.1:8675, 10.10.2.2:8675 ],\n\tb: [ 10.10.1.1:309, 10.10.2.2:309 ]\n\nDeprecated: This API is deprecated in v1.33+.", "type": "object", "properties": { "addresses": { @@ -40171,7 +40549,7 @@ } }, "io.k8s.api.core.v1.Endpoints": { - "description": "Endpoints is a collection of endpoints that implement the actual service. Example:\n\n\t Name: \"mysvc\",\n\t Subsets: [\n\t {\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t },\n\t {\n\t Addresses: [{\"ip\": \"10.10.3.3\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 93}, {\"name\": \"b\", \"port\": 76}]\n\t },\n\t]", + "description": "Endpoints is a collection of endpoints that implement the actual service. Example:\n\n\t Name: \"mysvc\",\n\t Subsets: [\n\t {\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t },\n\t {\n\t Addresses: [{\"ip\": \"10.10.3.3\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 93}, {\"name\": \"b\", \"port\": 76}]\n\t },\n\t]\n\nEndpoints is a legacy API and does not contain information about all Service features. Use discoveryv1.EndpointSlice for complete information about Service endpoints.\n\nDeprecated: This API is deprecated in v1.33+. Use discoveryv1.EndpointSlice.", "type": "object", "properties": { "apiVersion": { @@ -40199,7 +40577,7 @@ } }, "io.k8s.api.core.v1.EndpointsList": { - "description": "EndpointsList is a list of endpoints.", + "description": "EndpointsList is a list of endpoints. Deprecated: This API is deprecated in v1.33+.", "type": "object", "required": [ "items" @@ -40229,7 +40607,7 @@ } }, "io.k8s.api.core.v1.EnvFromSource": { - "description": "EnvFromSource represents the source of a set of ConfigMaps", + "description": "EnvFromSource represents the source of a set of ConfigMaps or Secrets", "type": "object", "properties": { "configMapRef": { @@ -40237,7 +40615,7 @@ "$ref": "#/definitions/io.k8s.api.core.v1.ConfigMapEnvSource" }, "prefix": { - "description": "An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.", + "description": "Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.", "type": "string" }, "secretRef": { @@ -41364,6 +41742,77 @@ "preStop": { "description": "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod's termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks", "$ref": "#/definitions/io.k8s.api.core.v1.LifecycleHandler" + }, + "stopSignal": { + "description": "StopSignal defines which signal will be sent to a container when it is being stopped. If not specified, the default is defined by the container runtime in use. StopSignal can only be set for Pods with a non-empty .spec.os.name\n\nPossible enum values:\n - `\"SIGABRT\"`\n - `\"SIGALRM\"`\n - `\"SIGBUS\"`\n - `\"SIGCHLD\"`\n - `\"SIGCLD\"`\n - `\"SIGCONT\"`\n - `\"SIGFPE\"`\n - `\"SIGHUP\"`\n - `\"SIGILL\"`\n - `\"SIGINT\"`\n - `\"SIGIO\"`\n - `\"SIGIOT\"`\n - `\"SIGKILL\"`\n - `\"SIGPIPE\"`\n - `\"SIGPOLL\"`\n - `\"SIGPROF\"`\n - `\"SIGPWR\"`\n - `\"SIGQUIT\"`\n - `\"SIGRTMAX\"`\n - `\"SIGRTMAX-1\"`\n - `\"SIGRTMAX-10\"`\n - `\"SIGRTMAX-11\"`\n - `\"SIGRTMAX-12\"`\n - `\"SIGRTMAX-13\"`\n - `\"SIGRTMAX-14\"`\n - `\"SIGRTMAX-2\"`\n - `\"SIGRTMAX-3\"`\n - `\"SIGRTMAX-4\"`\n - `\"SIGRTMAX-5\"`\n - `\"SIGRTMAX-6\"`\n - `\"SIGRTMAX-7\"`\n - `\"SIGRTMAX-8\"`\n - `\"SIGRTMAX-9\"`\n - `\"SIGRTMIN\"`\n - `\"SIGRTMIN+1\"`\n - `\"SIGRTMIN+10\"`\n - `\"SIGRTMIN+11\"`\n - `\"SIGRTMIN+12\"`\n - `\"SIGRTMIN+13\"`\n - `\"SIGRTMIN+14\"`\n - `\"SIGRTMIN+15\"`\n - `\"SIGRTMIN+2\"`\n - `\"SIGRTMIN+3\"`\n - `\"SIGRTMIN+4\"`\n - `\"SIGRTMIN+5\"`\n - `\"SIGRTMIN+6\"`\n - `\"SIGRTMIN+7\"`\n - `\"SIGRTMIN+8\"`\n - `\"SIGRTMIN+9\"`\n - `\"SIGSEGV\"`\n - `\"SIGSTKFLT\"`\n - `\"SIGSTOP\"`\n - `\"SIGSYS\"`\n - `\"SIGTERM\"`\n - `\"SIGTRAP\"`\n - `\"SIGTSTP\"`\n - `\"SIGTTIN\"`\n - `\"SIGTTOU\"`\n - `\"SIGURG\"`\n - `\"SIGUSR1\"`\n - `\"SIGUSR2\"`\n - `\"SIGVTALRM\"`\n - `\"SIGWINCH\"`\n - `\"SIGXCPU\"`\n - `\"SIGXFSZ\"`", + "type": "string", + "enum": [ + "SIGABRT", + "SIGALRM", + "SIGBUS", + "SIGCHLD", + "SIGCLD", + "SIGCONT", + "SIGFPE", + "SIGHUP", + "SIGILL", + "SIGINT", + "SIGIO", + "SIGIOT", + "SIGKILL", + "SIGPIPE", + "SIGPOLL", + "SIGPROF", + "SIGPWR", + "SIGQUIT", + "SIGRTMAX", + "SIGRTMAX-1", + "SIGRTMAX-10", + "SIGRTMAX-11", + "SIGRTMAX-12", + "SIGRTMAX-13", + "SIGRTMAX-14", + "SIGRTMAX-2", + "SIGRTMAX-3", + "SIGRTMAX-4", + "SIGRTMAX-5", + "SIGRTMAX-6", + "SIGRTMAX-7", + "SIGRTMAX-8", + "SIGRTMAX-9", + "SIGRTMIN", + "SIGRTMIN+1", + "SIGRTMIN+10", + "SIGRTMIN+11", + "SIGRTMIN+12", + "SIGRTMIN+13", + "SIGRTMIN+14", + "SIGRTMIN+15", + "SIGRTMIN+2", + "SIGRTMIN+3", + "SIGRTMIN+4", + "SIGRTMIN+5", + "SIGRTMIN+6", + "SIGRTMIN+7", + "SIGRTMIN+8", + "SIGRTMIN+9", + "SIGSEGV", + "SIGSTKFLT", + "SIGSTOP", + "SIGSYS", + "SIGTERM", + "SIGTRAP", + "SIGTSTP", + "SIGTTIN", + "SIGTTOU", + "SIGURG", + "SIGUSR1", + "SIGUSR2", + "SIGVTALRM", + "SIGWINCH", + "SIGXCPU", + "SIGXFSZ" + ] } } }, @@ -42295,6 +42744,17 @@ } } }, + "io.k8s.api.core.v1.NodeSwapStatus": { + "description": "NodeSwapStatus represents swap memory information.", + "type": "object", + "properties": { + "capacity": { + "description": "Total amount of swap memory in bytes.", + "type": "integer", + "format": "int64" + } + } + }, "io.k8s.api.core.v1.NodeSystemInfo": { "description": "NodeSystemInfo is a set of ids/uuids to uniquely identify the node.", "type": "object", @@ -42356,6 +42816,10 @@ "type": "string", "default": "" }, + "swap": { + "description": "Swap Info reported by the node.", + "$ref": "#/definitions/io.k8s.api.core.v1.NodeSwapStatus" + }, "systemUUID": { "description": "SystemUUID reported by the node. For unique machine identification MachineID is preferred. This field is specific to Red Hat hosts https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid", "type": "string", @@ -43113,7 +43577,7 @@ "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" }, "matchLabelKeys": { - "description": "MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).", + "description": "MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set.", "type": "array", "items": { "type": "string", @@ -43122,7 +43586,7 @@ "x-kubernetes-list-type": "atomic" }, "mismatchLabelKeys": { - "description": "MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).", + "description": "MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.", "type": "array", "items": { "type": "string", @@ -43228,6 +43692,11 @@ "description": "Human-readable message indicating details about last transition.", "type": "string" }, + "observedGeneration": { + "description": "If set, this represents the .metadata.generation that the pod condition was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.", + "type": "integer", + "format": "int64" + }, "reason": { "description": "Unique, one-word, CamelCase reason for the condition's last transition.", "type": "string" @@ -43767,7 +44236,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainers": { - "description": "List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/", + "description": "List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/", "type": "array", "items": { "default": {}, @@ -44016,6 +44485,11 @@ "description": "nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be scheduled right away as preemption victims receive their graceful termination periods. This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to give the resources on this node to a higher priority pod that is created after preemption. As a result, this field may be different than PodSpec.nodeName when the pod is scheduled.", "type": "string" }, + "observedGeneration": { + "description": "If set, this represents the .metadata.generation that the pod status was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.", + "type": "integer", + "format": "int64" + }, "phase": { "description": "The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:\n\nPending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase\n\nPossible enum values:\n - `\"Failed\"` means that all containers in the pod have terminated, and at least one container has terminated in a failure (exited with a non-zero exit code or was stopped by the system).\n - `\"Pending\"` means the pod has been accepted by the system, but one or more of the containers has not been started. This includes time before being bound to a node, as well as time spent pulling images onto the host.\n - `\"Running\"` means the pod has been bound to a node and all of the containers have been started. At least one container is still running or is in the process of being restarted.\n - `\"Succeeded\"` means that all containers in the pod have voluntarily terminated with a container exit code of 0, and the system is not going to restart any of these containers.\n - `\"Unknown\"` means that for some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod. Deprecated: It isn't being set since 2015 (74da3b14b0c0f658b3bb8d2def5094686d0e9095)", "type": "string", @@ -44059,7 +44533,7 @@ "type": "string" }, "resize": { - "description": "Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to \"Proposed\"", + "description": "Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to \"Proposed\" Deprecated: Resize status is moved to two pod conditions PodResizePending and PodResizeInProgress. PodResizePending will track states where the spec has been resized, but the Kubelet has not yet allocated the resources. PodResizeInProgress will track in-progress resizes, and should be present whenever allocated resources != acknowledged resources.", "type": "string" }, "resourceClaimStatuses": { @@ -44638,12 +45112,14 @@ "minReadySeconds": { "description": "Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)", "type": "integer", - "format": "int32" + "format": "int32", + "default": 0 }, "replicas": { "description": "Replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller", "type": "integer", - "format": "int32" + "format": "int32", + "default": 1 }, "selector": { "description": "Selector is a label query over pods that should match the Replicas count. If Selector is empty, it is defaulted to the labels present on the Pod template. Label keys and values that must match in order to be controlled by this replication controller, if empty defaulted to labels on Pod template. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors", @@ -44854,7 +45330,8 @@ "NotBestEffort", "NotTerminating", "PriorityClass", - "Terminating" + "Terminating", + "VolumeAttributesClass" ] }, "x-kubernetes-list-type": "atomic" @@ -45107,7 +45584,7 @@ ] }, "scopeName": { - "description": "The name of the scope that the selector applies to.\n\nPossible enum values:\n - `\"BestEffort\"` Match all pod objects that have best effort quality of service\n - `\"CrossNamespacePodAffinity\"` Match all pod objects that have cross-namespace pod (anti)affinity mentioned.\n - `\"NotBestEffort\"` Match all pod objects that do not have best effort quality of service\n - `\"NotTerminating\"` Match all pod objects where spec.activeDeadlineSeconds is nil\n - `\"PriorityClass\"` Match all pod objects that have priority class mentioned\n - `\"Terminating\"` Match all pod objects where spec.activeDeadlineSeconds >=0", + "description": "The name of the scope that the selector applies to.\n\nPossible enum values:\n - `\"BestEffort\"` Match all pod objects that have best effort quality of service\n - `\"CrossNamespacePodAffinity\"` Match all pod objects that have cross-namespace pod (anti)affinity mentioned.\n - `\"NotBestEffort\"` Match all pod objects that do not have best effort quality of service\n - `\"NotTerminating\"` Match all pod objects where spec.activeDeadlineSeconds is nil\n - `\"PriorityClass\"` Match all pod objects that have priority class mentioned\n - `\"Terminating\"` Match all pod objects where spec.activeDeadlineSeconds >=0\n - `\"VolumeAttributesClass\"` Match all pvc objects that have volume attributes class mentioned.", "type": "string", "default": "", "enum": [ @@ -45116,7 +45593,8 @@ "NotBestEffort", "NotTerminating", "PriorityClass", - "Terminating" + "Terminating", + "VolumeAttributesClass" ] }, "values": { @@ -45773,7 +46251,7 @@ "$ref": "#/definitions/io.k8s.api.core.v1.SessionAffinityConfig" }, "trafficDistribution": { - "description": "TrafficDistribution offers a way to express preferences for how traffic is distributed to Service endpoints. Implementations can use this field as a hint, but are not required to guarantee strict adherence. If the field is not set, the implementation will apply its default routing strategy. If set to \"PreferClose\", implementations should prioritize endpoints that are topologically close (e.g., same zone). This is a beta field and requires enabling ServiceTrafficDistribution feature.", + "description": "TrafficDistribution offers a way to express preferences for how traffic is distributed to Service endpoints. Implementations can use this field as a hint, but are not required to guarantee strict adherence. If the field is not set, the implementation will apply its default routing strategy. If set to \"PreferClose\", implementations should prioritize endpoints that are in the same zone.", "type": "string" }, "type": { @@ -46070,7 +46548,7 @@ "format": "int32" }, "nodeAffinityPolicy": { - "description": "NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", + "description": "NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", "type": "string", "enum": [ "Honor", @@ -46078,7 +46556,7 @@ ] }, "nodeTaintsPolicy": { - "description": "NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", + "description": "NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.", "type": "string", "enum": [ "Honor", @@ -46230,7 +46708,7 @@ "$ref": "#/definitions/io.k8s.api.core.v1.HostPathVolumeSource" }, "image": { - "description": "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", + "description": "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", "$ref": "#/definitions/io.k8s.api.core.v1.ImageVolumeSource" }, "iscsi": { @@ -46510,7 +46988,7 @@ "$ref": "#/definitions/io.k8s.api.core.v1.HostPathVolumeSource" }, "image": { - "description": "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", + "description": "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.", "$ref": "#/definitions/io.k8s.api.core.v1.ImageVolumeSource" }, "iscsi": { From 902caae1ff1729efdd79f84ff8ad5cb4538eced0 Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Thu, 18 Sep 2025 12:43:52 +0200 Subject: [PATCH 11/12] REBASING Signed-off-by: Shaza Aldawamneh --- config/v1/types_authentication.go | 7 ++++--- .../authentications.config.openshift.io/ExternalOIDC.yaml | 3 ++- .../ExternalOIDCWithNewAuthConfigFields.yaml | 3 ++- .../ExternalOIDCWithUIDAndExtraClaimMappings.yaml | 3 ++- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index a8fae842399..08cf45625c6 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -250,7 +250,8 @@ type OIDCProvider struct { // See the TokenUserValidationRule type for more information on rule structure. // +optional - //+listType=atomic + // +listType=atomic + // +kubebuilder:validation:MaxItems=20 UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"` } @@ -285,7 +286,7 @@ type TokenIssuer struct { // // +listType=set // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=263 + // +kubebuilder:validation:MaxItems=20 // +required Audiences []TokenAudience `json:"audiences"` @@ -807,7 +808,7 @@ type TokenClaimValidationRule struct { // Must be set if type == "Expression". // // +optional - ExpressionRule *TokenExpressionRule `json:"expressionRule,omitempty"` + ExpressionRule *TokenExpressionRule `json:"expressionRule,omitzero,omitempty"` } type TokenRequiredClaim struct { diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml index e26bfa2da4d..e5292ec7d32 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml @@ -287,7 +287,7 @@ spec: items: minLength: 1 type: string - maxItems: 263 + maxItems: 20 minItems: 1 type: array x-kubernetes-list-type: set @@ -464,6 +464,7 @@ spec: required: - expression type: object + maxItems: 20 type: array x-kubernetes-list-type: atomic required: diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml index ceec3852f45..2230aadc1ab 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml @@ -301,7 +301,7 @@ spec: items: minLength: 1 type: string - maxItems: 263 + maxItems: 20 minItems: 1 type: array x-kubernetes-list-type: set @@ -508,6 +508,7 @@ spec: required: - expression type: object + maxItems: 20 type: array x-kubernetes-list-type: atomic required: diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index 8ad8daf0639..ad735262e5a 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -438,7 +438,7 @@ spec: items: minLength: 1 type: string - maxItems: 263 + maxItems: 20 minItems: 1 type: array x-kubernetes-list-type: set @@ -615,6 +615,7 @@ spec: required: - expression type: object + maxItems: 20 type: array x-kubernetes-list-type: atomic required: From 9d042805c0cf44ec29aa8af271293432453cea28 Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Thu, 18 Sep 2025 15:35:53 +0200 Subject: [PATCH 12/12] fixing failed tests Signed-off-by: Shaza Aldawamneh --- config/v1/types_authentication.go | 8 ++++---- .../authentications.config.openshift.io/ExternalOIDC.yaml | 2 +- .../ExternalOIDCWithNewAuthConfigFields.yaml | 2 +- .../ExternalOIDCWithUIDAndExtraClaimMappings.yaml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index 08cf45625c6..185a118af9e 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -244,14 +244,14 @@ type OIDCProvider struct { // +optional ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` - // UserValidationRules defines the set of rules used to validate claims in a user’s token. + // userValidationRules defines the set of rules used to validate claims in a user’s token. // These rules determine whether a token subject is considered valid based on its claims. // Each rule is evaluated independently. // See the TokenUserValidationRule type for more information on rule structure. - // +optional // +listType=atomic - // +kubebuilder:validation:MaxItems=20 + // +kubebuilder:validation:MaxItems=64 + // +optional UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"` } @@ -808,7 +808,7 @@ type TokenClaimValidationRule struct { // Must be set if type == "Expression". // // +optional - ExpressionRule *TokenExpressionRule `json:"expressionRule,omitzero,omitempty"` + ExpressionRule *TokenExpressionRule `json:"expressionRule,omitempty"` } type TokenRequiredClaim struct { diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml index e5292ec7d32..df833bc4129 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml @@ -464,7 +464,7 @@ spec: required: - expression type: object - maxItems: 20 + maxItems: 64 type: array x-kubernetes-list-type: atomic required: diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml index 2230aadc1ab..febd3a30378 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml @@ -508,7 +508,7 @@ spec: required: - expression type: object - maxItems: 20 + maxItems: 64 type: array x-kubernetes-list-type: atomic required: diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index ad735262e5a..8094f4e6260 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -615,7 +615,7 @@ spec: required: - expression type: object - maxItems: 20 + maxItems: 64 type: array x-kubernetes-list-type: atomic required: