diff --git a/operators/ack-ecr-controller/1.4.2/bundle.Dockerfile b/operators/ack-ecr-controller/1.4.2/bundle.Dockerfile new file mode 100644 index 000000000000..a0037d7be36f --- /dev/null +++ b/operators/ack-ecr-controller/1.4.2/bundle.Dockerfile @@ -0,0 +1,21 @@ +FROM scratch + +# Core bundle labels. +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=ack-ecr-controller +LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.28.0 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=unknown + +# Labels for testing. +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ + +# Copy files to locations specified by labels. +COPY bundle/manifests /manifests/ +COPY bundle/metadata /metadata/ +COPY bundle/tests/scorecard /tests/scorecard/ diff --git a/operators/ack-ecr-controller/1.4.2/manifests/ack-ecr-controller.clusterserviceversion.yaml b/operators/ack-ecr-controller/1.4.2/manifests/ack-ecr-controller.clusterserviceversion.yaml new file mode 100644 index 000000000000..93dfe43082b7 --- /dev/null +++ b/operators/ack-ecr-controller/1.4.2/manifests/ack-ecr-controller.clusterserviceversion.yaml @@ -0,0 +1,297 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "ecr.services.k8s.aws/v1alpha1", + "kind": "Repository", + "metadata": { + "name": "example" + }, + "spec": {} + } + ] + capabilities: Basic Install + categories: Cloud Provider + certified: "false" + containerImage: public.ecr.aws/aws-controllers-k8s/ecr-controller:1.4.2 + createdAt: "2026-02-13T22:27:14Z" + description: AWS ECR controller is a service controller for managing ECR resources + in Kubernetes + operatorframework.io/suggested-namespace: ack-system + operators.operatorframework.io/builder: operator-sdk-v1.28.0 + operators.operatorframework.io/project_layout: unknown + repository: https://github.com/aws-controllers-k8s + support: Community + labels: + operatorframework.io/arch.amd64: supported + operatorframework.io/arch.arm64: supported + operatorframework.io/os.linux: supported + name: ack-ecr-controller.v1.4.2 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: PullThroughCacheRule represents the state of an AWS ecr PullThroughCacheRule + resource. + displayName: PullThroughCacheRule + kind: PullThroughCacheRule + name: pullthroughcacherules.ecr.services.k8s.aws + version: v1alpha1 + - description: Repository represents the state of an AWS ecr Repository resource. + displayName: Repository + kind: Repository + name: repositories.ecr.services.k8s.aws + version: v1alpha1 + - description: RepositoryCreationTemplate represents the state of an AWS ecr RepositoryCreationTemplate + resource. + displayName: RepositoryCreationTemplate + kind: RepositoryCreationTemplate + name: repositorycreationtemplates.ecr.services.k8s.aws + version: v1alpha1 + description: |- + Manage Amazon Elastic Container Registry (ECR) resources in AWS from within your Kubernetes cluster. + + **About Amazon ECR** + + Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable. Amazon ECR supports private repositories with resource-based permissions using AWS IAM. This is so that specified users or Amazon EC2 instances can access your container repositories and images. You can use your preferred CLI to push, pull, and manage Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts. + + **About the AWS Controllers for Kubernetes** + + This controller is a component of the [AWS Controller for Kubernetes](https://github.com/aws/aws-controllers-k8s) project. + + **Pre-Installation Steps** + + Please follow the following link: [Red Hat OpenShift](https://aws-controllers-k8s.github.io/community/docs/user-docs/openshift/) + displayName: AWS Controllers for Kubernetes - Amazon ECR + icon: + - base64data: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDE5LjAuMSwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IkxheWVyXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IiB2aWV3Qm94PSIwIDAgMzA0IDE4MiIgc3R5bGU9ImVuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgMzA0IDE4MjsiIHhtbDpzcGFjZT0icHJlc2VydmUiPgo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgoJLnN0MHtmaWxsOiMyNTJGM0U7fQoJLnN0MXtmaWxsLXJ1bGU6ZXZlbm9kZDtjbGlwLXJ1bGU6ZXZlbm9kZDtmaWxsOiNGRjk5MDA7fQo8L3N0eWxlPgo8Zz4KCTxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik04Ni40LDY2LjRjMCwzLjcsMC40LDYuNywxLjEsOC45YzAuOCwyLjIsMS44LDQuNiwzLjIsNy4yYzAuNSwwLjgsMC43LDEuNiwwLjcsMi4zYzAsMS0wLjYsMi0xLjksM2wtNi4zLDQuMiAgIGMtMC45LDAuNi0xLjgsMC45LTIuNiwwLjljLTEsMC0yLTAuNS0zLTEuNEM3Ni4yLDkwLDc1LDg4LjQsNzQsODYuOGMtMS0xLjctMi0zLjYtMy4xLTUuOWMtNy44LDkuMi0xNy42LDEzLjgtMjkuNCwxMy44ICAgYy04LjQsMC0xNS4xLTIuNC0yMC03LjJjLTQuOS00LjgtNy40LTExLjItNy40LTE5LjJjMC04LjUsMy0xNS40LDkuMS0yMC42YzYuMS01LjIsMTQuMi03LjgsMjQuNS03LjhjMy40LDAsNi45LDAuMywxMC42LDAuOCAgIGMzLjcsMC41LDcuNSwxLjMsMTEuNSwyLjJ2LTcuM2MwLTcuNi0xLjYtMTIuOS00LjctMTZjLTMuMi0zLjEtOC42LTQuNi0xNi4zLTQuNmMtMy41LDAtNy4xLDAuNC0xMC44LDEuM2MtMy43LDAuOS03LjMsMi0xMC44LDMuNCAgIGMtMS42LDAuNy0yLjgsMS4xLTMuNSwxLjNjLTAuNywwLjItMS4yLDAuMy0xLjYsMC4zYy0xLjQsMC0yLjEtMS0yLjEtMy4xdi00LjljMC0xLjYsMC4yLTIuOCwwLjctMy41YzAuNS0wLjcsMS40LTEuNCwyLjgtMi4xICAgYzMuNS0xLjgsNy43LTMuMywxMi42LTQuNWM0LjktMS4zLDEwLjEtMS45LDE1LjYtMS45YzExLjksMCwyMC42LDIuNywyNi4yLDguMWM1LjUsNS40LDguMywxMy42LDguMywyNC42VjY2LjR6IE00NS44LDgxLjYgICBjMy4zLDAsNi43LTAuNiwxMC4zLTEuOGMzLjYtMS4yLDYuOC0zLjQsOS41LTYuNGMxLjYtMS45LDIuOC00LDMuNC02LjRjMC42LTIuNCwxLTUuMywxLTguN3YtNC4yYy0yLjktMC43LTYtMS4zLTkuMi0xLjcgICBjLTMuMi0wLjQtNi4zLTAuNi05LjQtMC42Yy02LjcsMC0xMS42LDEuMy0xNC45LDRjLTMuMywyLjctNC45LDYuNS00LjksMTEuNWMwLDQuNywxLjIsOC4yLDMuNywxMC42ICAgQzM3LjcsODAuNCw0MS4yLDgxLjYsNDUuOCw4MS42eiBNMTI2LjEsOTIuNGMtMS44LDAtMy0wLjMtMy44LTFjLTAuOC0wLjYtMS41LTItMi4xLTMuOUw5Ni43LDEwLjJjLTAuNi0yLTAuOS0zLjMtMC45LTQgICBjMC0xLjYsMC44LTIuNSwyLjQtMi41aDkuOGMxLjksMCwzLjIsMC4zLDMuOSwxYzAuOCwwLjYsMS40LDIsMiwzLjlsMTYuOCw2Ni4ybDE1LjYtNjYuMmMwLjUtMiwxLjEtMy4zLDEuOS0zLjljMC44LTAuNiwyLjItMSw0LTEgICBoOGMxLjksMCwzLjIsMC4zLDQsMWMwLjgsMC42LDEuNSwyLDEuOSwzLjlsMTUuOCw2N2wxNy4zLTY3YzAuNi0yLDEuMy0zLjMsMi0zLjljMC44LTAuNiwyLjEtMSwzLjktMWg5LjNjMS42LDAsMi41LDAuOCwyLjUsMi41ICAgYzAsMC41LTAuMSwxLTAuMiwxLjZjLTAuMSwwLjYtMC4zLDEuNC0wLjcsMi41bC0yNC4xLDc3LjNjLTAuNiwyLTEuMywzLjMtMi4xLDMuOWMtMC44LDAuNi0yLjEsMS0zLjgsMWgtOC42Yy0xLjksMC0zLjItMC4zLTQtMSAgIGMtMC44LTAuNy0xLjUtMi0xLjktNEwxNTYsMjNsLTE1LjQsNjQuNGMtMC41LDItMS4xLDMuMy0xLjksNGMtMC44LDAuNy0yLjIsMS00LDFIMTI2LjF6IE0yNTQuNiw5NS4xYy01LjIsMC0xMC40LTAuNi0xNS40LTEuOCAgIGMtNS0xLjItOC45LTIuNS0xMS41LTRjLTEuNi0wLjktMi43LTEuOS0zLjEtMi44Yy0wLjQtMC45LTAuNi0xLjktMC42LTIuOHYtNS4xYzAtMi4xLDAuOC0zLjEsMi4zLTMuMWMwLjYsMCwxLjIsMC4xLDEuOCwwLjMgICBjMC42LDAuMiwxLjUsMC42LDIuNSwxYzMuNCwxLjUsNy4xLDIuNywxMSwzLjVjNCwwLjgsNy45LDEuMiwxMS45LDEuMmM2LjMsMCwxMS4yLTEuMSwxNC42LTMuM2MzLjQtMi4yLDUuMi01LjQsNS4yLTkuNSAgIGMwLTIuOC0wLjktNS4xLTIuNy03Yy0xLjgtMS45LTUuMi0zLjYtMTAuMS01LjJMMjQ2LDUyYy03LjMtMi4zLTEyLjctNS43LTE2LTEwLjJjLTMuMy00LjQtNS05LjMtNS0xNC41YzAtNC4yLDAuOS03LjksMi43LTExLjEgICBjMS44LTMuMiw0LjItNiw3LjItOC4yYzMtMi4zLDYuNC00LDEwLjQtNS4yYzQtMS4yLDguMi0xLjcsMTIuNi0xLjdjMi4yLDAsNC41LDAuMSw2LjcsMC40YzIuMywwLjMsNC40LDAuNyw2LjUsMS4xICAgYzIsMC41LDMuOSwxLDUuNywxLjZjMS44LDAuNiwzLjIsMS4yLDQuMiwxLjhjMS40LDAuOCwyLjQsMS42LDMsMi41YzAuNiwwLjgsMC45LDEuOSwwLjksMy4zdjQuN2MwLDIuMS0wLjgsMy4yLTIuMywzLjIgICBjLTAuOCwwLTIuMS0wLjQtMy44LTEuMmMtNS43LTIuNi0xMi4xLTMuOS0xOS4yLTMuOWMtNS43LDAtMTAuMiwwLjktMTMuMywyLjhjLTMuMSwxLjktNC43LDQuOC00LjcsOC45YzAsMi44LDEsNS4yLDMsNy4xICAgYzIsMS45LDUuNywzLjgsMTEsNS41bDE0LjIsNC41YzcuMiwyLjMsMTIuNCw1LjUsMTUuNSw5LjZjMy4xLDQuMSw0LjYsOC44LDQuNiwxNGMwLDQuMy0wLjksOC4yLTIuNiwxMS42ICAgYy0xLjgsMy40LTQuMiw2LjQtNy4zLDguOGMtMy4xLDIuNS02LjgsNC4zLTExLjEsNS42QzI2NC40LDk0LjQsMjU5LjcsOTUuMSwyNTQuNiw5NS4xeiIvPgoJPGc+CgkJPHBhdGggY2xhc3M9InN0MSIgZD0iTTI3My41LDE0My43Yy0zMi45LDI0LjMtODAuNywzNy4yLTEyMS44LDM3LjJjLTU3LjYsMC0xMDkuNS0yMS4zLTE0OC43LTU2LjdjLTMuMS0yLjgtMC4zLTYuNiwzLjQtNC40ICAgIGM0Mi40LDI0LjYsOTQuNywzOS41LDE0OC44LDM5LjVjMzYuNSwwLDc2LjYtNy42LDExMy41LTIzLjJDMjc0LjIsMTMzLjYsMjc4LjksMTM5LjcsMjczLjUsMTQzLjd6Ii8+CgkJPHBhdGggY2xhc3M9InN0MSIgZD0iTTI4Ny4yLDEyOC4xYy00LjItNS40LTI3LjgtMi42LTM4LjUtMS4zYy0zLjIsMC40LTMuNy0yLjQtMC44LTQuNWMxOC44LTEzLjIsNDkuNy05LjQsNTMuMy01ICAgIGMzLjYsNC41LTEsMzUuNC0xOC42LDUwLjJjLTIuNywyLjMtNS4zLDEuMS00LjEtMS45QzI4Mi41LDE1NS43LDI5MS40LDEzMy40LDI4Ny4yLDEyOC4xeiIvPgoJPC9nPgo8L2c+Cjwvc3ZnPg== + mediatype: image/svg+xml + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - ecr.services.k8s.aws + resources: + - pullthroughcacherules + - repositories + - repositorycreationtemplates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - ecr.services.k8s.aws + resources: + - pullthroughcacherules/status + - repositories/status + - repositorycreationtemplates/status + verbs: + - get + - patch + - update + - apiGroups: + - iam.services.k8s.aws + resources: + - roles + - roles/status + verbs: + - get + - list + - apiGroups: + - secretsmanager.services.k8s.aws + resources: + - secrets + - secrets/status + verbs: + - get + - list + - apiGroups: + - services.k8s.aws + resources: + - fieldexports + - iamroleselectors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - services.k8s.aws + resources: + - fieldexports/status + - iamroleselectors/status + verbs: + - get + - patch + - update + serviceAccountName: ack-ecr-controller + deployments: + - label: + app.kubernetes.io/name: ack-ecr-controller + app.kubernetes.io/part-of: ack-system + name: ack-ecr-controller + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: ack-ecr-controller + strategy: {} + template: + metadata: + labels: + app.kubernetes.io/name: ack-ecr-controller + spec: + containers: + - args: + - --aws-region + - $(AWS_REGION) + - --aws-endpoint-url + - $(AWS_ENDPOINT_URL) + - --enable-development-logging=$(ACK_ENABLE_DEVELOPMENT_LOGGING) + - --log-level + - $(ACK_LOG_LEVEL) + - --resource-tags + - $(ACK_RESOURCE_TAGS) + - --watch-namespace + - $(ACK_WATCH_NAMESPACE) + - --enable-leader-election=$(ENABLE_LEADER_ELECTION) + - --leader-election-namespace + - $(LEADER_ELECTION_NAMESPACE) + - --reconcile-default-max-concurrent-syncs + - $(RECONCILE_DEFAULT_MAX_CONCURRENT_SYNCS) + - --feature-gates + - $(FEATURE_GATES) + - --enable-carm=$(ENABLE_CARM) + command: + - ./bin/controller + env: + - name: ACK_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - configMapRef: + name: ack-ecr-user-config + optional: false + - secretRef: + name: ack-ecr-user-secrets + optional: true + image: public.ecr.aws/aws-controllers-k8s/ecr-controller:1.4.2 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: controller + ports: + - containerPort: 8080 + name: http + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + dnsPolicy: ClusterFirst + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: ack-ecr-controller + terminationGracePeriodSeconds: 10 + permissions: + - rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: ack-ecr-controller + strategy: deployment + installModes: + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: true + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - ecr + - aws + - amazon + - ack + links: + - name: AWS Controllers for Kubernetes + url: https://github.com/aws-controllers-k8s/community + - name: Documentation + url: https://aws-controllers-k8s.github.io/community/ + - name: Amazon ECR Developer Resources + url: https://aws.amazon.com/ecr/resources/ + maintainers: + - email: ack-maintainers@amazon.com + name: ecr maintainer team + maturity: alpha + provider: + name: Amazon, Inc. + url: https://aws.amazon.com + version: 1.4.2 diff --git a/operators/ack-ecr-controller/1.4.2/manifests/ack-ecr-metrics-service_v1_service.yaml b/operators/ack-ecr-controller/1.4.2/manifests/ack-ecr-metrics-service_v1_service.yaml new file mode 100644 index 000000000000..b37deabf8216 --- /dev/null +++ b/operators/ack-ecr-controller/1.4.2/manifests/ack-ecr-metrics-service_v1_service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + name: ack-ecr-metrics-service +spec: + ports: + - name: metricsport + port: 8080 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: ack-ecr-controller + type: ClusterIP +status: + loadBalancer: {} diff --git a/operators/ack-ecr-controller/1.4.2/manifests/ack-ecr-reader_rbac.authorization.k8s.io_v1_role.yaml b/operators/ack-ecr-controller/1.4.2/manifests/ack-ecr-reader_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 000000000000..c74987be24a9 --- /dev/null +++ b/operators/ack-ecr-controller/1.4.2/manifests/ack-ecr-reader_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-ecr-reader +rules: +- apiGroups: + - ecr.services.k8s.aws + resources: + - pullthroughcacherules + - repositories + - repositorycreationtemplates + verbs: + - get + - list + - watch diff --git a/operators/ack-ecr-controller/1.4.2/manifests/ack-ecr-writer_rbac.authorization.k8s.io_v1_role.yaml b/operators/ack-ecr-controller/1.4.2/manifests/ack-ecr-writer_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 000000000000..cfe52c8c5962 --- /dev/null +++ b/operators/ack-ecr-controller/1.4.2/manifests/ack-ecr-writer_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-ecr-writer +rules: +- apiGroups: + - ecr.services.k8s.aws + resources: + - pullthroughcacherules + - repositories + - repositorycreationtemplates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ecr.services.k8s.aws + resources: + - pullthroughcacherules + - repositories + - repositorycreationtemplates + verbs: + - get + - patch + - update diff --git a/operators/ack-ecr-controller/1.4.2/manifests/ecr.services.k8s.aws_pullthroughcacherules.yaml b/operators/ack-ecr-controller/1.4.2/manifests/ecr.services.k8s.aws_pullthroughcacherules.yaml new file mode 100644 index 000000000000..949a6c611fd6 --- /dev/null +++ b/operators/ack-ecr-controller/1.4.2/manifests/ecr.services.k8s.aws_pullthroughcacherules.yaml @@ -0,0 +1,247 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + creationTimestamp: null + name: pullthroughcacherules.ecr.services.k8s.aws +spec: + group: ecr.services.k8s.aws + names: + kind: PullThroughCacheRule + listKind: PullThroughCacheRuleList + plural: pullthroughcacherules + singular: pullthroughcacherule + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: PullThroughCacheRule is the Schema for the PullThroughCacheRules + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PullThroughCacheRuleSpec defines the desired state of PullThroughCacheRule. + + The details of a pull through cache rule. + properties: + credentialARN: + description: |- + The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager + secret that identifies the credentials to authenticate to the upstream registry. + + Regex Pattern: `^arn:aws(-\w+)*:secretsmanager:[a-zA-Z0-9-:]+:secret:ecr\-pullthroughcache\/[a-zA-Z0-9\/_+=.@-]+$` + type: string + credentialRef: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference\ntype to provide more user friendly syntax + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t + \ name: my-api" + properties: + from: + description: |- + AWSResourceReference provides all the values necessary to reference another + k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + namespace: + type: string + type: object + type: object + customRoleARN: + description: |- + Amazon Resource Name (ARN) of the IAM role to be assumed by Amazon ECR to + authenticate to the ECR upstream registry. This role must be in the same + account as the registry that you are configuring. + type: string + customRoleRef: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference\ntype to provide more user friendly syntax + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t + \ name: my-api" + properties: + from: + description: |- + AWSResourceReference provides all the values necessary to reference another + k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + namespace: + type: string + type: object + type: object + ecrRepositoryPrefix: + description: |- + The repository name prefix to use when caching images from the source registry. + + There is always an assumed / applied to the end of the prefix. If you specify + ecr-public as the prefix, Amazon ECR treats that as ecr-public/. + + Regex Pattern: `^((?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*/?|ROOT)$` + type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf + registryID: + description: |- + The Amazon Web Services account ID associated with the registry to create + the pull through cache rule for. If you do not specify a registry, the default + registry is assumed. + + Regex Pattern: `^[0-9]{12}$` + type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf + upstreamRegistry: + description: The name of the upstream registry. + type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf + upstreamRegistryURL: + description: |- + The registry URL of the upstream public registry to use as the source for + the pull through cache rule. The following is the syntax to use for each + supported upstream registry. + + * Amazon ECR (ecr) – .dkr.ecr..amazonaws.com + + * Amazon ECR Public (ecr-public) – public.ecr.aws + + * Docker Hub (docker-hub) – registry-1.docker.io + + * GitHub Container Registry (github-container-registry) – ghcr.io + + * GitLab Container Registry (gitlab-container-registry) – registry.gitlab.com + + * Kubernetes (k8s) – registry.k8s.io + + * Microsoft Azure Container Registry (azure-container-registry) – .azurecr.io + + * Quay (quay) – quay.io + type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf + upstreamRepositoryPrefix: + description: |- + The repository name prefix of the upstream registry to match with the upstream + repository name. When this field isn't specified, Amazon ECR will use the + ROOT. + + Regex Pattern: `^((?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*/?|ROOT)$` + type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf + required: + - ecrRepositoryPrefix + - upstreamRegistryURL + type: object + status: + description: PullThroughCacheRuleStatus defines the observed state of + PullThroughCacheRule + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRs managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createdAt: + description: |- + The date and time, in JavaScript date format, when the pull through cache + rule was created. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-ecr-controller/1.4.2/manifests/ecr.services.k8s.aws_repositories.yaml b/operators/ack-ecr-controller/1.4.2/manifests/ecr.services.k8s.aws_repositories.yaml new file mode 100644 index 000000000000..9d8b197ee28d --- /dev/null +++ b/operators/ack-ecr-controller/1.4.2/manifests/ecr.services.k8s.aws_repositories.yaml @@ -0,0 +1,237 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + creationTimestamp: null + name: repositories.ecr.services.k8s.aws +spec: + group: ecr.services.k8s.aws + names: + kind: Repository + listKind: RepositoryList + plural: repositories + singular: repository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.registryID + name: REGISTRY-ID + type: string + - jsonPath: .spec.imageTagMutability + name: IMAGE-TAG-MUTABILITY + type: string + - jsonPath: .status.conditions[?(@.type=="ACK.ResourceSynced")].status + name: Synced + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: Repository is the Schema for the Repositories API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + RepositorySpec defines the desired state of Repository. + + An object representing a repository. + properties: + encryptionConfiguration: + description: |- + The encryption configuration for the repository. This determines how the + contents of your repository are encrypted at rest. + properties: + encryptionType: + type: string + kmsKey: + type: string + type: object + imageScanningConfiguration: + description: |- + The imageScanningConfiguration parameter is being deprecated, in favor of + specifying the image scanning configuration at the registry level. For more + information, see PutRegistryScanningConfiguration. + + The image scanning configuration for the repository. This determines whether + images are scanned for known vulnerabilities after being pushed to the repository. + properties: + scanOnPush: + type: boolean + type: object + imageTagMutability: + description: |- + The tag mutability setting for the repository. If this parameter is omitted, + the default setting of MUTABLE will be used which will allow image tags to + be overwritten. If IMMUTABLE is specified, all image tags within the repository + will be immutable which will prevent them from being overwritten. + type: string + imageTagMutabilityExclusionFilters: + description: |- + A list of filters that specify which image tags should be excluded from the + repository's image tag mutability setting. + items: + description: |- + A filter that specifies which image tags should be excluded from the repository's + image tag mutability setting. + properties: + filter: + type: string + filterType: + type: string + type: object + type: array + lifecyclePolicy: + description: The JSON repository policy text to apply to the repository. + type: string + name: + description: |- + The name to use for the repository. The repository name may be specified + on its own (such as nginx-web-app) or it can be prepended with a namespace + to group the repository into a category (such as project-a/nginx-web-app). + + The repository name must start with a letter and can only contain lowercase + letters, numbers, hyphens, underscores, and forward slashes. + + Regex Pattern: `^(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*$` + type: string + policy: + description: |- + The JSON repository policy text to apply to the repository. For more information, + see Amazon ECR repository policies (https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html) + in the Amazon Elastic Container Registry User Guide. + type: string + registryID: + description: |- + The Amazon Web Services account ID associated with the registry to create + the repository. If you do not specify a registry, the default registry is + assumed. + + Regex Pattern: `^[0-9]{12}$` + type: string + tags: + description: |- + The metadata that you apply to the repository to help you categorize and + organize them. Each tag consists of a key and an optional value, both of + which you define. Tag keys can have a maximum character length of 128 characters, + and tag values can have a maximum length of 256 characters. + items: + description: |- + The metadata to apply to a resource to help you categorize and organize them. + Each tag consists of a key and a value, both of which you define. Tag keys + can have a maximum character length of 128 characters, and tag values can + have a maximum length of 256 characters. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - name + type: object + status: + description: RepositoryStatus defines the observed state of Repository + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRs managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createdAt: + description: The date and time, in JavaScript date format, when the + repository was created. + format: date-time + type: string + repositoryURI: + description: |- + The URI for the repository. You can use this URI for container image push + and pull operations. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-ecr-controller/1.4.2/manifests/ecr.services.k8s.aws_repositorycreationtemplates.yaml b/operators/ack-ecr-controller/1.4.2/manifests/ecr.services.k8s.aws_repositorycreationtemplates.yaml new file mode 100644 index 000000000000..bbbb8aae0f4c --- /dev/null +++ b/operators/ack-ecr-controller/1.4.2/manifests/ecr.services.k8s.aws_repositorycreationtemplates.yaml @@ -0,0 +1,259 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + creationTimestamp: null + name: repositorycreationtemplates.ecr.services.k8s.aws +spec: + group: ecr.services.k8s.aws + names: + kind: RepositoryCreationTemplate + listKind: RepositoryCreationTemplateList + plural: repositorycreationtemplates + singular: repositorycreationtemplate + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RepositoryCreationTemplate is the Schema for the RepositoryCreationTemplates + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + RepositoryCreationTemplateSpec defines the desired state of RepositoryCreationTemplate. + + The details of the repository creation template associated with the request. + properties: + appliedFor: + description: |- + A list of enumerable strings representing the Amazon ECR repository creation + scenarios that this template will apply towards. The two supported scenarios + are PULL_THROUGH_CACHE and REPLICATION + items: + type: string + type: array + customRoleARN: + description: |- + The ARN of the role to be assumed by Amazon ECR. This role must be in the + same account as the registry that you are configuring. Amazon ECR will assume + your supplied role when the customRoleArn is specified. When this field isn't + specified, Amazon ECR will use the service-linked role for the repository + creation template. + type: string + customRoleRef: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference\ntype to provide more user friendly syntax + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t + \ name: my-api" + properties: + from: + description: |- + AWSResourceReference provides all the values necessary to reference another + k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + namespace: + type: string + type: object + type: object + description: + description: A description for the repository creation template. + type: string + encryptionConfiguration: + description: The encryption configuration to use for repositories + created using the template. + properties: + encryptionType: + type: string + kmsKey: + type: string + type: object + imageTagMutability: + description: |- + The tag mutability setting for the repository. If this parameter is omitted, + the default setting of MUTABLE will be used which will allow image tags to + be overwritten. If IMMUTABLE is specified, all image tags within the repository + will be immutable which will prevent them from being overwritten. + type: string + imageTagMutabilityExclusionFilters: + description: |- + A list of filters that specify which image tags should be excluded from the + repository creation template's image tag mutability setting. + items: + description: |- + A filter that specifies which image tags should be excluded from the repository's + image tag mutability setting. + properties: + filter: + type: string + filterType: + type: string + type: object + type: array + lifecyclePolicy: + description: The lifecycle policy to use for repositories created + using the template. + type: string + prefix: + description: |- + The repository namespace prefix to associate with the template. All repositories + created using this namespace prefix will have the settings defined in this + template applied. For example, a prefix of prod would apply to all repositories + beginning with prod/. Similarly, a prefix of prod/team would apply to all + repositories beginning with prod/team/. + + To apply a template to all repositories in your registry that don't have + an associated creation template, you can use ROOT as the prefix. + + There is always an assumed / applied to the end of the prefix. If you specify + ecr-public as the prefix, Amazon ECR treats that as ecr-public/. When using + a pull through cache rule, the repository prefix you specify during rule + creation is what you should specify as your repository creation template + prefix as well. + + Regex Pattern: `^((?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*/?|ROOT)$` + type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf + repositoryPolicy: + description: |- + The repository policy to apply to repositories created using the template. + A repository policy is a permissions policy associated with a repository + to control access permissions. + type: string + resourceTags: + description: |- + The metadata to apply to the repository to help you categorize and organize. + Each tag consists of a key and an optional value, both of which you define. + Tag keys can have a maximum character length of 128 characters, and tag values + can have a maximum length of 256 characters. + items: + description: |- + The metadata to apply to a resource to help you categorize and organize them. + Each tag consists of a key and a value, both of which you define. Tag keys + can have a maximum character length of 128 characters, and tag values can + have a maximum length of 256 characters. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - appliedFor + - prefix + type: object + status: + description: RepositoryCreationTemplateStatus defines the observed state + of RepositoryCreationTemplate + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRs managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createdAt: + description: |- + The date and time, in JavaScript date format, when the repository creation + template was created. + format: date-time + type: string + updatedAt: + description: |- + The date and time, in JavaScript date format, when the repository creation + template was last updated. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-ecr-controller/1.4.2/metadata/annotations.yaml b/operators/ack-ecr-controller/1.4.2/metadata/annotations.yaml new file mode 100644 index 000000000000..525ed18cd347 --- /dev/null +++ b/operators/ack-ecr-controller/1.4.2/metadata/annotations.yaml @@ -0,0 +1,15 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: ack-ecr-controller + operators.operatorframework.io.bundle.channels.v1: alpha + operators.operatorframework.io.bundle.channel.default.v1: alpha + operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.0 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: unknown + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/operators/ack-ecr-controller/1.4.2/tests/scorecard/config.yaml b/operators/ack-ecr-controller/1.4.2/tests/scorecard/config.yaml new file mode 100644 index 000000000000..382ddefd1566 --- /dev/null +++ b/operators/ack-ecr-controller/1.4.2/tests/scorecard/config.yaml @@ -0,0 +1,50 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {}