diff --git a/.golangci.yml b/.golangci.yml
index aed8644..e422936 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -16,25 +16,28 @@ issues:
linters:
- dupl
- lll
+ - path: "test/*"
+ linters:
+ - dupl
+ - errcheck
+ - goconst
+ - gocyclo
+ - lll
+ - unused
+ - path: "pkg/*"
+ linters:
+ - lll
+ - unparam
linters:
disable-all: true
enable:
- - dupl
- errcheck
- - exportloopref
- - goconst
- - gocyclo
- gofmt
- goimports
- gosimple
- govet
- ineffassign
- - lll
- - misspell
- - nakedret
- - prealloc
- staticcheck
- typecheck
- unconvert
- - unparam
- unused
diff --git a/Dockerfile b/Dockerfile
index 1659e64..b90cfaa 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
# Build the manager binary
-FROM golang:1.23.6 AS builder
+FROM golang:1.24.9 AS builder
ARG TARGETOS
ARG TARGETARCH
diff --git a/Jenkinsfile b/Jenkinsfile
index 6e4ef4f..a9bc294 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -202,6 +202,14 @@ pipeline {
00 05 * * * % E2E_MARKLOGIC_IMAGE_VERSION=ml-docker-db-dev-tierpoint.bed-artifactory.bedford.progress.com/marklogic/marklogic-server-ubi-rootless:latest-11; PUBLISH_IMAGE=false''' : '')
}
+ environment {
+ PATH = "/space/go/bin:${env.PATH}"
+ MINIKUBE_HOME = "/space/minikube/"
+ KUBECONFIG = "/space/.kube-config"
+ GOPATH = "/space/go"
+ }
+
+
parameters {
string(name: 'E2E_MARKLOGIC_IMAGE_VERSION', defaultValue: 'ml-docker-db-dev-tierpoint.bed-artifactory.bedford.progress.com/marklogic/marklogic-server-ubi-rootless:latest-12', description: 'Docker image to use for tests.', trim: true)
string(name: 'VERSION', defaultValue: '1.1.0', description: 'Version to tag the image with.', trim: true)
diff --git a/Makefile b/Makefile
index 6267307..3befab4 100644
--- a/Makefile
+++ b/Makefile
@@ -3,7 +3,7 @@
# To re-generate a bundle for another specific version without changing the standard setup, you can:
# - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
# - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 1.0.0
+VERSION ?= 1.1.0
# VERIFY_HUGE_PAGES defines if hugepages test is enabled or not for e2e test
VERIFY_HUGE_PAGES ?= false
@@ -12,7 +12,7 @@ export E2E_DOCKER_IMAGE ?= $(IMG)
export E2E_KUSTOMIZE_VERSION ?= $(KUSTOMIZE_VERSION)
export E2E_CONTROLLER_TOOLS_VERSION ?= $(CONTROLLER_TOOLS_VERSION)
export E2E_MARKLOGIC_IMAGE_VERSION ?= progressofficial/marklogic-db:11.3.1-ubi-rootless-2.1.3
-export E2E_KUBERNETES_VERSION ?= v1.31.0
+export E2E_KUBERNETES_VERSION ?= v1.31.13
# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
ENVTEST_K8S_VERSION = 1.31.0
@@ -65,8 +65,8 @@ OPERATOR_SDK_VERSION ?= v1.34.2
# Image URL to use all building/pushing image targets
# Image for dev: ml-marklogic-operator-dev.bed-artifactory.bedford.progress.com/marklogic-operator-kubernetes
-# IMG ?= progressofficial/marklogic-operator-kubernetes:$(VERSION)
-IMG ?= "testrepo/marklogic-operator-image-dev:1.0.0"
+IMG ?= progressofficial/marklogic-operator-kubernetes:$(VERSION)
+# IMG ?= "testrepo/marklogic-operator-image-dev:$(VERSION)"
# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
@@ -173,11 +173,11 @@ e2e-cleanup-minikube:
minikube delete
GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
-GOLANGCI_LINT_VERSION ?= v1.54.2
+GOLANGCI_LINT_VERSION ?= v1.62.2
golangci-lint:
@[ -f $(GOLANGCI_LINT) ] || { \
set -e ;\
- curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(shell dirname $(GOLANGCI_LINT)) $(GOLANGCI_LINT_VERSION) ;\
+ GOBIN=$(shell dirname $(GOLANGCI_LINT)) go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION) ;\
}
.PHONY: lint
@@ -265,7 +265,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
## Tool Versions
KUSTOMIZE_VERSION ?= v5.5.0
-CONTROLLER_TOOLS_VERSION ?= v0.17.1
+CONTROLLER_TOOLS_VERSION ?= v0.19.0
.PHONY: kustomize
kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading.
@@ -368,6 +368,7 @@ $(HELMIFY): $(LOCALBIN)
test -s $(LOCALBIN)/helmify || GOBIN=$(LOCALBIN) go install github.com/arttor/helmify/cmd/helmify@latest
helm: manifests kustomize helmify
+ cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
$(KUSTOMIZE) build config/default | $(HELMIFY) -image-pull-secrets -original-name charts/marklogic-operator-kubernetes
.PHONY: image-scan
diff --git a/NOTICE.txt b/NOTICE.txt
index a0f2296..a6731b5 100644
--- a/NOTICE.txt
+++ b/NOTICE.txt
@@ -15,12 +15,12 @@ This document provides notice information for the third-party components used by
Third Party Components
-api v0.32.1 (Apache-2.0)
-apimachinery v0.32.1 (Apache-2.0)
-client-go v0.32.1 (Apache-2.0)
-controller-runtime v0.20.1 (Apache-2.0)
+api v0.34.1 (Apache-2.0)
+apimachinery v0.34.1 (Apache-2.0)
+client-go v0.34.1 (Apache-2.0)
+controller-runtime v0.22.3 (Apache-2.0)
k8s-objectmatcher v1.10.0 (Apache-2.0)
-logr v1.4.2 (Apache-2.0
+logr v1.4.3 (Apache-2.0)
Common Licenses
@@ -31,27 +31,27 @@ logr v1.4.2 (Apache-2.0
The following software may be included in this project (last updated February 11, 2025):
-Api v0.32.1 (Apache-2.0)
+Api v0.34.1 (Apache-2.0)
- https://github.com/kubernetes/api/tree/v0.32.1
+ https://github.com/kubernetes/api/tree/v0.34.1
For the full text of the Apache-2.0 license, see Apache License 2.0 (Apache-2.0)
-Apimachinery v0.32.1 (Apache-2.0)
+Apimachinery v0.34.1 (Apache-2.0)
- https://github.com/kubernetes/apimachinery/tree/v0.32.1
+ https://github.com/kubernetes/apimachinery/tree/v0.34.1
For the full text of the Apache-2.0 license, see Apache License 2.0 (Apache-2.0)
-client-go v0.32.1 (Apache-2.0)
+client-go v0.34.1 (Apache-2.0)
- https://github.com/kubernetes/client-go/tree/v0.32.1
+ https://github.com/kubernetes/client-go/tree/v0.34.1
For the full text of the Apache-2.0 license, see Apache License 2.0 (Apache-2.0)
-Controller-runtime v0.20.1 (Apache-2.0)
+Controller-runtime v0.22.3 (Apache-2.0)
- https://github.com/kubernetes-sigs/controller-runtime/tree/v0.20.1
+ https://github.com/kubernetes-sigs/controller-runtime/tree/v0.22.3
For the full text of the Apache-2.0 license, see Apache License 2.0 (Apache-2.0)
@@ -70,9 +70,9 @@ The source file patch/deletenull.go is based on https://github.com/kubernetes/ku
For the full text of the Apache-2.0 license, see Apache License 2.0 (Apache-2.0)
-Logr v1.4.2 (Apache-2.0)
+Logr v1.4.3 (Apache-2.0)
- https://github.com/go-logr/logr/tree/v1.4.2
+ https://github.com/go-logr/logr/tree/v1.4.3
For the full text of the Apache-2.0 license, see Apache License 2.0 (Apache-2.0)
diff --git a/charts/marklogic-operator-kubernetes/Chart.yaml b/charts/marklogic-operator-kubernetes/Chart.yaml
index 6f308e7..6572670 100644
--- a/charts/marklogic-operator-kubernetes/Chart.yaml
+++ b/charts/marklogic-operator-kubernetes/Chart.yaml
@@ -13,9 +13,9 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+version: 1.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
-appVersion: "1.0.0"
+appVersion: "1.1.0"
diff --git a/charts/marklogic-operator-kubernetes/templates/marklogiccluster-crd.yaml b/charts/marklogic-operator-kubernetes/templates/marklogiccluster-crd.yaml
index c7d99b3..8d48e9a 100644
--- a/charts/marklogic-operator-kubernetes/templates/marklogiccluster-crd.yaml
+++ b/charts/marklogic-operator-kubernetes/templates/marklogiccluster-crd.yaml
@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
name: marklogicclusters.marklogic.progress.com
annotations:
- controller-gen.kubebuilder.io/version: v0.17.1
+ controller-gen.kubebuilder.io/version: v0.19.0
labels:
{{- include "marklogic-operator-kubernetes.labels" . | nindent 4 }}
spec:
@@ -260,15 +260,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -428,13 +426,11 @@ spec:
description: |-
currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.
When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim
- This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
type: string
modifyVolumeStatus:
description: |-
ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.
When this is unset, there is no ModifyVolume operation being attempted.
- This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
properties:
status:
description: "status is the status of the ControllerModifyVolume
@@ -1215,15 +1211,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -1404,12 +1398,10 @@ spec:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
- description: |-
- endpoints is the endpoint name that details Glusterfs topology.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ description: endpoints is the endpoint name that details Glusterfs
+ topology.
type: string
path:
description: |-
@@ -1463,7 +1455,7 @@ spec:
The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
The volume will be mounted read-only (ro) and non-executable files (noexec).
- Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
properties:
pullPolicy:
@@ -1488,7 +1480,7 @@ spec:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
- More info: https://examples.k8s.io/volumes/iscsi/README.md
+ More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
properties:
chapAuthDiscovery:
description: chapAuthDiscovery defines whether support iSCSI
@@ -1906,6 +1898,111 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ podCertificate:
+ description: |-
+ Projects an auto-rotating credential bundle (private key and certificate
+ chain) that the pod can use either as a TLS client or server.
+
+ Kubelet generates a private key and uses it to send a
+ PodCertificateRequest to the named signer. Once the signer approves the
+ request and issues a certificate chain, Kubelet writes the key and
+ certificate chain to the pod filesystem. The pod does not start until
+ certificates have been issued for each podCertificate projected volume
+ source in its spec.
+
+ Kubelet will begin trying to rotate the certificate at the time indicated
+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+ timestamp.
+
+ Kubelet can write a single file, indicated by the credentialBundlePath
+ field, or separate files, indicated by the keyPath and
+ certificateChainPath fields.
+
+ The credential bundle is a single file in PEM format. The first PEM
+ entry is the private key (in PKCS#8 format), and the remaining PEM
+ entries are the certificate chain issued by the signer (typically,
+ signers will return their certificate chain in leaf-to-root order).
+
+ Prefer using the credential bundle format, since your application code
+ can read it atomically. If you use keyPath and certificateChainPath,
+ your application must make two separate file reads. If these coincide
+ with a certificate rotation, it is possible that the private key and leaf
+ certificate you read may not correspond to each other. Your application
+ will need to check for this condition, and re-read until they are
+ consistent.
+
+ The named signer controls chooses the format of the certificate it
+ issues; consult the signer implementation's documentation to learn how to
+ use the certificates it issues.
+ properties:
+ certificateChainPath:
+ description: |-
+ Write the certificate chain at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ credentialBundlePath:
+ description: |-
+ Write the credential bundle at this path in the projected volume.
+
+ The credential bundle is a single file that contains multiple PEM blocks.
+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+ key.
+
+ The remaining blocks are CERTIFICATE blocks, containing the issued
+ certificate chain from the signer (leaf and any intermediates).
+
+ Using credentialBundlePath lets your Pod's application code make a single
+ atomic read that retrieves a consistent key and certificate chain. If you
+ project them to separate files, your application code will need to
+ additionally check that the leaf certificate was issued to the key.
+ type: string
+ keyPath:
+ description: |-
+ Write the key at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ keyType:
+ description: |-
+ The type of keypair Kubelet will generate for the pod.
+
+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+ "ECDSAP521", and "ED25519".
+ type: string
+ maxExpirationSeconds:
+ description: |-
+ maxExpirationSeconds is the maximum lifetime permitted for the
+ certificate.
+
+ Kubelet copies this value verbatim into the PodCertificateRequests it
+ generates for this projection.
+
+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+ will reject values shorter than 3600 (1 hour). The maximum allowable
+ value is 7862400 (91 days).
+
+ The signer implementation is then free to issue a certificate with any
+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+ seconds (1 hour). This constraint is enforced by kube-apiserver.
+ `kubernetes.io` signers will never issue certificates with a lifetime
+ longer than 24 hours.
+ format: int32
+ type: integer
+ signerName:
+ description: Kubelet's generated CSRs will be addressed
+ to this signer.
+ type: string
+ required:
+ - keyType
+ - signerName
+ type: object
secret:
description: secret information about the secret data
to project
@@ -2040,7 +2137,6 @@ spec:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
- More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
description: |-
@@ -2606,7 +2702,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2621,7 +2716,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2787,7 +2881,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2802,7 +2895,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2895,8 +2987,8 @@ spec:
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
@@ -2965,7 +3057,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2980,7 +3071,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3146,7 +3236,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3161,7 +3250,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3548,7 +3636,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3563,7 +3650,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3730,7 +3816,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3745,7 +3830,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3839,8 +3923,8 @@ spec:
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
@@ -3910,7 +3994,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3925,7 +4008,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4092,7 +4174,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4107,7 +4188,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4445,7 +4525,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -4703,7 +4783,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -4983,15 +5063,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -5159,13 +5237,11 @@ spec:
description: |-
currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.
When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim
- This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
type: string
modifyVolumeStatus:
description: |-
ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.
When this is unset, there is no ModifyVolume operation being attempted.
- This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
properties:
status:
description: "status is the status of the ControllerModifyVolume
@@ -5952,15 +6028,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -6142,12 +6216,10 @@ spec:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
- description: |-
- endpoints is the endpoint name that details Glusterfs topology.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ description: endpoints is the endpoint name that details
+ Glusterfs topology.
type: string
path:
description: |-
@@ -6201,7 +6273,7 @@ spec:
The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
The volume will be mounted read-only (ro) and non-executable files (noexec).
- Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
properties:
pullPolicy:
@@ -6226,7 +6298,7 @@ spec:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
- More info: https://examples.k8s.io/volumes/iscsi/README.md
+ More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
properties:
chapAuthDiscovery:
description: chapAuthDiscovery defines whether support
@@ -6648,6 +6720,111 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ podCertificate:
+ description: |-
+ Projects an auto-rotating credential bundle (private key and certificate
+ chain) that the pod can use either as a TLS client or server.
+
+ Kubelet generates a private key and uses it to send a
+ PodCertificateRequest to the named signer. Once the signer approves the
+ request and issues a certificate chain, Kubelet writes the key and
+ certificate chain to the pod filesystem. The pod does not start until
+ certificates have been issued for each podCertificate projected volume
+ source in its spec.
+
+ Kubelet will begin trying to rotate the certificate at the time indicated
+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+ timestamp.
+
+ Kubelet can write a single file, indicated by the credentialBundlePath
+ field, or separate files, indicated by the keyPath and
+ certificateChainPath fields.
+
+ The credential bundle is a single file in PEM format. The first PEM
+ entry is the private key (in PKCS#8 format), and the remaining PEM
+ entries are the certificate chain issued by the signer (typically,
+ signers will return their certificate chain in leaf-to-root order).
+
+ Prefer using the credential bundle format, since your application code
+ can read it atomically. If you use keyPath and certificateChainPath,
+ your application must make two separate file reads. If these coincide
+ with a certificate rotation, it is possible that the private key and leaf
+ certificate you read may not correspond to each other. Your application
+ will need to check for this condition, and re-read until they are
+ consistent.
+
+ The named signer controls chooses the format of the certificate it
+ issues; consult the signer implementation's documentation to learn how to
+ use the certificates it issues.
+ properties:
+ certificateChainPath:
+ description: |-
+ Write the certificate chain at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ credentialBundlePath:
+ description: |-
+ Write the credential bundle at this path in the projected volume.
+
+ The credential bundle is a single file that contains multiple PEM blocks.
+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+ key.
+
+ The remaining blocks are CERTIFICATE blocks, containing the issued
+ certificate chain from the signer (leaf and any intermediates).
+
+ Using credentialBundlePath lets your Pod's application code make a single
+ atomic read that retrieves a consistent key and certificate chain. If you
+ project them to separate files, your application code will need to
+ additionally check that the leaf certificate was issued to the key.
+ type: string
+ keyPath:
+ description: |-
+ Write the key at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ keyType:
+ description: |-
+ The type of keypair Kubelet will generate for the pod.
+
+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+ "ECDSAP521", and "ED25519".
+ type: string
+ maxExpirationSeconds:
+ description: |-
+ maxExpirationSeconds is the maximum lifetime permitted for the
+ certificate.
+
+ Kubelet copies this value verbatim into the PodCertificateRequests it
+ generates for this projection.
+
+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+ will reject values shorter than 3600 (1 hour). The maximum allowable
+ value is 7862400 (91 days).
+
+ The signer implementation is then free to issue a certificate with any
+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+ seconds (1 hour). This constraint is enforced by kube-apiserver.
+ `kubernetes.io` signers will never issue certificates with a lifetime
+ longer than 24 hours.
+ format: int32
+ type: integer
+ signerName:
+ description: Kubelet's generated CSRs will
+ be addressed to this signer.
+ type: string
+ required:
+ - keyType
+ - signerName
+ type: object
secret:
description: secret information about the secret
data to project
@@ -6782,7 +6959,6 @@ spec:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
- More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
description: |-
@@ -7352,7 +7528,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7367,7 +7542,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7534,7 +7708,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7549,7 +7722,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7643,8 +7815,8 @@ spec:
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
@@ -7714,7 +7886,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7729,7 +7900,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7896,7 +8066,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7911,7 +8080,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -8164,7 +8332,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -8260,7 +8428,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -8529,7 +8697,6 @@ spec:
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -8540,7 +8707,6 @@ spec:
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
@@ -9322,7 +9488,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -9711,7 +9877,6 @@ spec:
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -9722,7 +9887,6 @@ spec:
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
diff --git a/charts/marklogic-operator-kubernetes/templates/marklogicgroup-crd.yaml b/charts/marklogic-operator-kubernetes/templates/marklogicgroup-crd.yaml
index af05825..6aa88e3 100644
--- a/charts/marklogic-operator-kubernetes/templates/marklogicgroup-crd.yaml
+++ b/charts/marklogic-operator-kubernetes/templates/marklogicgroup-crd.yaml
@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
name: marklogicgroups.marklogic.progress.com
annotations:
- controller-gen.kubebuilder.io/version: v0.17.1
+ controller-gen.kubebuilder.io/version: v0.19.0
labels:
{{- include "marklogic-operator-kubernetes.labels" . | nindent 4 }}
spec:
@@ -261,15 +261,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -429,13 +427,11 @@ spec:
description: |-
currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.
When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim
- This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
type: string
modifyVolumeStatus:
description: |-
ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.
When this is unset, there is no ModifyVolume operation being attempted.
- This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
properties:
status:
description: "status is the status of the ControllerModifyVolume
@@ -1216,15 +1212,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -1405,12 +1399,10 @@ spec:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
- description: |-
- endpoints is the endpoint name that details Glusterfs topology.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ description: endpoints is the endpoint name that details Glusterfs
+ topology.
type: string
path:
description: |-
@@ -1464,7 +1456,7 @@ spec:
The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
The volume will be mounted read-only (ro) and non-executable files (noexec).
- Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
properties:
pullPolicy:
@@ -1489,7 +1481,7 @@ spec:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
- More info: https://examples.k8s.io/volumes/iscsi/README.md
+ More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
properties:
chapAuthDiscovery:
description: chapAuthDiscovery defines whether support iSCSI
@@ -1907,6 +1899,111 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ podCertificate:
+ description: |-
+ Projects an auto-rotating credential bundle (private key and certificate
+ chain) that the pod can use either as a TLS client or server.
+
+ Kubelet generates a private key and uses it to send a
+ PodCertificateRequest to the named signer. Once the signer approves the
+ request and issues a certificate chain, Kubelet writes the key and
+ certificate chain to the pod filesystem. The pod does not start until
+ certificates have been issued for each podCertificate projected volume
+ source in its spec.
+
+ Kubelet will begin trying to rotate the certificate at the time indicated
+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+ timestamp.
+
+ Kubelet can write a single file, indicated by the credentialBundlePath
+ field, or separate files, indicated by the keyPath and
+ certificateChainPath fields.
+
+ The credential bundle is a single file in PEM format. The first PEM
+ entry is the private key (in PKCS#8 format), and the remaining PEM
+ entries are the certificate chain issued by the signer (typically,
+ signers will return their certificate chain in leaf-to-root order).
+
+ Prefer using the credential bundle format, since your application code
+ can read it atomically. If you use keyPath and certificateChainPath,
+ your application must make two separate file reads. If these coincide
+ with a certificate rotation, it is possible that the private key and leaf
+ certificate you read may not correspond to each other. Your application
+ will need to check for this condition, and re-read until they are
+ consistent.
+
+ The named signer controls chooses the format of the certificate it
+ issues; consult the signer implementation's documentation to learn how to
+ use the certificates it issues.
+ properties:
+ certificateChainPath:
+ description: |-
+ Write the certificate chain at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ credentialBundlePath:
+ description: |-
+ Write the credential bundle at this path in the projected volume.
+
+ The credential bundle is a single file that contains multiple PEM blocks.
+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+ key.
+
+ The remaining blocks are CERTIFICATE blocks, containing the issued
+ certificate chain from the signer (leaf and any intermediates).
+
+ Using credentialBundlePath lets your Pod's application code make a single
+ atomic read that retrieves a consistent key and certificate chain. If you
+ project them to separate files, your application code will need to
+ additionally check that the leaf certificate was issued to the key.
+ type: string
+ keyPath:
+ description: |-
+ Write the key at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ keyType:
+ description: |-
+ The type of keypair Kubelet will generate for the pod.
+
+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+ "ECDSAP521", and "ED25519".
+ type: string
+ maxExpirationSeconds:
+ description: |-
+ maxExpirationSeconds is the maximum lifetime permitted for the
+ certificate.
+
+ Kubelet copies this value verbatim into the PodCertificateRequests it
+ generates for this projection.
+
+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+ will reject values shorter than 3600 (1 hour). The maximum allowable
+ value is 7862400 (91 days).
+
+ The signer implementation is then free to issue a certificate with any
+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+ seconds (1 hour). This constraint is enforced by kube-apiserver.
+ `kubernetes.io` signers will never issue certificates with a lifetime
+ longer than 24 hours.
+ format: int32
+ type: integer
+ signerName:
+ description: Kubelet's generated CSRs will be addressed
+ to this signer.
+ type: string
+ required:
+ - keyType
+ - signerName
+ type: object
secret:
description: secret information about the secret data
to project
@@ -2041,7 +2138,6 @@ spec:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
- More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
description: |-
@@ -2607,7 +2703,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2622,7 +2717,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2788,7 +2882,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2803,7 +2896,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2896,8 +2988,8 @@ spec:
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
@@ -2966,7 +3058,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2981,7 +3072,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3147,7 +3237,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3162,7 +3251,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3447,7 +3535,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -4247,7 +4335,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -4719,7 +4807,6 @@ spec:
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -4730,7 +4817,6 @@ spec:
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
diff --git a/charts/marklogic-operator-kubernetes/values.yaml b/charts/marklogic-operator-kubernetes/values.yaml
index 13157bd..8518f84 100644
--- a/charts/marklogic-operator-kubernetes/values.yaml
+++ b/charts/marklogic-operator-kubernetes/values.yaml
@@ -10,6 +10,7 @@ controllerManager:
capabilities:
drop:
- ALL
+ runAsNonRoot: true
image:
repository: gcr.io/kubebuilder/kube-rbac-proxy
tag: v0.15.0
@@ -30,9 +31,10 @@ controllerManager:
capabilities:
drop:
- ALL
+ runAsNonRoot: true
image:
repository: progressofficial/marklogic-operator-kubernetes
- tag: 1.0.0
+ tag: 1.1.0
resources:
limits:
cpu: 500m
diff --git a/config/crd/bases/marklogic.progress.com_marklogicclusters.yaml b/config/crd/bases/marklogic.progress.com_marklogicclusters.yaml
index 795b0af..a727f49 100644
--- a/config/crd/bases/marklogic.progress.com_marklogicclusters.yaml
+++ b/config/crd/bases/marklogic.progress.com_marklogicclusters.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.1
+ controller-gen.kubebuilder.io/version: v0.19.0
name: marklogicclusters.marklogic.progress.com
spec:
group: marklogic.progress.com
@@ -259,15 +259,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -430,13 +428,11 @@ spec:
description: |-
currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.
When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim
- This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
type: string
modifyVolumeStatus:
description: |-
ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.
When this is unset, there is no ModifyVolume operation being attempted.
- This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
properties:
status:
description: "status is the status of the ControllerModifyVolume
@@ -1218,15 +1214,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -1408,12 +1402,10 @@ spec:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
- description: |-
- endpoints is the endpoint name that details Glusterfs topology.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ description: endpoints is the endpoint name that details
+ Glusterfs topology.
type: string
path:
description: |-
@@ -1467,7 +1459,7 @@ spec:
The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
The volume will be mounted read-only (ro) and non-executable files (noexec).
- Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
properties:
pullPolicy:
@@ -1492,7 +1484,7 @@ spec:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
- More info: https://examples.k8s.io/volumes/iscsi/README.md
+ More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
properties:
chapAuthDiscovery:
description: chapAuthDiscovery defines whether support iSCSI
@@ -1912,6 +1904,111 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ podCertificate:
+ description: |-
+ Projects an auto-rotating credential bundle (private key and certificate
+ chain) that the pod can use either as a TLS client or server.
+
+ Kubelet generates a private key and uses it to send a
+ PodCertificateRequest to the named signer. Once the signer approves the
+ request and issues a certificate chain, Kubelet writes the key and
+ certificate chain to the pod filesystem. The pod does not start until
+ certificates have been issued for each podCertificate projected volume
+ source in its spec.
+
+ Kubelet will begin trying to rotate the certificate at the time indicated
+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+ timestamp.
+
+ Kubelet can write a single file, indicated by the credentialBundlePath
+ field, or separate files, indicated by the keyPath and
+ certificateChainPath fields.
+
+ The credential bundle is a single file in PEM format. The first PEM
+ entry is the private key (in PKCS#8 format), and the remaining PEM
+ entries are the certificate chain issued by the signer (typically,
+ signers will return their certificate chain in leaf-to-root order).
+
+ Prefer using the credential bundle format, since your application code
+ can read it atomically. If you use keyPath and certificateChainPath,
+ your application must make two separate file reads. If these coincide
+ with a certificate rotation, it is possible that the private key and leaf
+ certificate you read may not correspond to each other. Your application
+ will need to check for this condition, and re-read until they are
+ consistent.
+
+ The named signer controls chooses the format of the certificate it
+ issues; consult the signer implementation's documentation to learn how to
+ use the certificates it issues.
+ properties:
+ certificateChainPath:
+ description: |-
+ Write the certificate chain at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ credentialBundlePath:
+ description: |-
+ Write the credential bundle at this path in the projected volume.
+
+ The credential bundle is a single file that contains multiple PEM blocks.
+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+ key.
+
+ The remaining blocks are CERTIFICATE blocks, containing the issued
+ certificate chain from the signer (leaf and any intermediates).
+
+ Using credentialBundlePath lets your Pod's application code make a single
+ atomic read that retrieves a consistent key and certificate chain. If you
+ project them to separate files, your application code will need to
+ additionally check that the leaf certificate was issued to the key.
+ type: string
+ keyPath:
+ description: |-
+ Write the key at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ keyType:
+ description: |-
+ The type of keypair Kubelet will generate for the pod.
+
+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+ "ECDSAP521", and "ED25519".
+ type: string
+ maxExpirationSeconds:
+ description: |-
+ maxExpirationSeconds is the maximum lifetime permitted for the
+ certificate.
+
+ Kubelet copies this value verbatim into the PodCertificateRequests it
+ generates for this projection.
+
+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+ will reject values shorter than 3600 (1 hour). The maximum allowable
+ value is 7862400 (91 days).
+
+ The signer implementation is then free to issue a certificate with any
+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+ seconds (1 hour). This constraint is enforced by kube-apiserver.
+ `kubernetes.io` signers will never issue certificates with a lifetime
+ longer than 24 hours.
+ format: int32
+ type: integer
+ signerName:
+ description: Kubelet's generated CSRs will be
+ addressed to this signer.
+ type: string
+ required:
+ - keyType
+ - signerName
+ type: object
secret:
description: secret information about the secret data
to project
@@ -2046,7 +2143,6 @@ spec:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
- More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
description: |-
@@ -2613,7 +2709,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2628,7 +2723,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2794,7 +2888,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2809,7 +2902,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2902,8 +2994,8 @@ spec:
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
@@ -2972,7 +3064,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2987,7 +3078,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3153,7 +3243,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3168,7 +3257,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3556,7 +3644,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3571,7 +3658,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3738,7 +3824,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3753,7 +3838,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3847,8 +3931,8 @@ spec:
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
@@ -3918,7 +4002,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3933,7 +4016,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4100,7 +4182,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4115,7 +4196,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4454,7 +4534,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -4712,7 +4792,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -4993,15 +5073,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -5172,13 +5250,11 @@ spec:
description: |-
currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.
When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim
- This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
type: string
modifyVolumeStatus:
description: |-
ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.
When this is unset, there is no ModifyVolume operation being attempted.
- This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
properties:
status:
description: "status is the status of the ControllerModifyVolume
@@ -5968,15 +6044,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -6158,12 +6232,10 @@ spec:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
- description: |-
- endpoints is the endpoint name that details Glusterfs topology.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ description: endpoints is the endpoint name that details
+ Glusterfs topology.
type: string
path:
description: |-
@@ -6217,7 +6289,7 @@ spec:
The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
The volume will be mounted read-only (ro) and non-executable files (noexec).
- Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
properties:
pullPolicy:
@@ -6242,7 +6314,7 @@ spec:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
- More info: https://examples.k8s.io/volumes/iscsi/README.md
+ More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
properties:
chapAuthDiscovery:
description: chapAuthDiscovery defines whether support
@@ -6668,6 +6740,111 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ podCertificate:
+ description: |-
+ Projects an auto-rotating credential bundle (private key and certificate
+ chain) that the pod can use either as a TLS client or server.
+
+ Kubelet generates a private key and uses it to send a
+ PodCertificateRequest to the named signer. Once the signer approves the
+ request and issues a certificate chain, Kubelet writes the key and
+ certificate chain to the pod filesystem. The pod does not start until
+ certificates have been issued for each podCertificate projected volume
+ source in its spec.
+
+ Kubelet will begin trying to rotate the certificate at the time indicated
+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+ timestamp.
+
+ Kubelet can write a single file, indicated by the credentialBundlePath
+ field, or separate files, indicated by the keyPath and
+ certificateChainPath fields.
+
+ The credential bundle is a single file in PEM format. The first PEM
+ entry is the private key (in PKCS#8 format), and the remaining PEM
+ entries are the certificate chain issued by the signer (typically,
+ signers will return their certificate chain in leaf-to-root order).
+
+ Prefer using the credential bundle format, since your application code
+ can read it atomically. If you use keyPath and certificateChainPath,
+ your application must make two separate file reads. If these coincide
+ with a certificate rotation, it is possible that the private key and leaf
+ certificate you read may not correspond to each other. Your application
+ will need to check for this condition, and re-read until they are
+ consistent.
+
+ The named signer controls chooses the format of the certificate it
+ issues; consult the signer implementation's documentation to learn how to
+ use the certificates it issues.
+ properties:
+ certificateChainPath:
+ description: |-
+ Write the certificate chain at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ credentialBundlePath:
+ description: |-
+ Write the credential bundle at this path in the projected volume.
+
+ The credential bundle is a single file that contains multiple PEM blocks.
+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+ key.
+
+ The remaining blocks are CERTIFICATE blocks, containing the issued
+ certificate chain from the signer (leaf and any intermediates).
+
+ Using credentialBundlePath lets your Pod's application code make a single
+ atomic read that retrieves a consistent key and certificate chain. If you
+ project them to separate files, your application code will need to
+ additionally check that the leaf certificate was issued to the key.
+ type: string
+ keyPath:
+ description: |-
+ Write the key at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ keyType:
+ description: |-
+ The type of keypair Kubelet will generate for the pod.
+
+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+ "ECDSAP521", and "ED25519".
+ type: string
+ maxExpirationSeconds:
+ description: |-
+ maxExpirationSeconds is the maximum lifetime permitted for the
+ certificate.
+
+ Kubelet copies this value verbatim into the PodCertificateRequests it
+ generates for this projection.
+
+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+ will reject values shorter than 3600 (1 hour). The maximum allowable
+ value is 7862400 (91 days).
+
+ The signer implementation is then free to issue a certificate with any
+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+ seconds (1 hour). This constraint is enforced by kube-apiserver.
+ `kubernetes.io` signers will never issue certificates with a lifetime
+ longer than 24 hours.
+ format: int32
+ type: integer
+ signerName:
+ description: Kubelet's generated CSRs will
+ be addressed to this signer.
+ type: string
+ required:
+ - keyType
+ - signerName
+ type: object
secret:
description: secret information about the secret
data to project
@@ -6802,7 +6979,6 @@ spec:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
- More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
description: |-
@@ -7374,7 +7550,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7389,7 +7564,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7556,7 +7730,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7571,7 +7744,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7665,8 +7837,8 @@ spec:
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
@@ -7736,7 +7908,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7751,7 +7922,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7918,7 +8088,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -7933,7 +8102,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -8186,7 +8354,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -8283,7 +8451,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -8553,7 +8721,6 @@ spec:
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -8564,7 +8731,6 @@ spec:
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
@@ -9352,7 +9518,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -9741,7 +9907,6 @@ spec:
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -9752,7 +9917,6 @@ spec:
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
diff --git a/config/crd/bases/marklogic.progress.com_marklogicgroups.yaml b/config/crd/bases/marklogic.progress.com_marklogicgroups.yaml
index 9e95819..5a757f7 100644
--- a/config/crd/bases/marklogic.progress.com_marklogicgroups.yaml
+++ b/config/crd/bases/marklogic.progress.com_marklogicgroups.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.17.1
+ controller-gen.kubebuilder.io/version: v0.19.0
name: marklogicgroups.marklogic.progress.com
spec:
group: marklogic.progress.com
@@ -260,15 +260,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -431,13 +429,11 @@ spec:
description: |-
currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.
When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim
- This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
type: string
modifyVolumeStatus:
description: |-
ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.
When this is unset, there is no ModifyVolume operation being attempted.
- This is a beta field and requires enabling VolumeAttributesClass feature (off by default).
properties:
status:
description: "status is the status of the ControllerModifyVolume
@@ -1219,15 +1215,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
- it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
- will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
- If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume controller if it exists.
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -1409,12 +1403,10 @@ spec:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
- description: |-
- endpoints is the endpoint name that details Glusterfs topology.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ description: endpoints is the endpoint name that details
+ Glusterfs topology.
type: string
path:
description: |-
@@ -1468,7 +1460,7 @@ spec:
The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
The volume will be mounted read-only (ro) and non-executable files (noexec).
- Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
properties:
pullPolicy:
@@ -1493,7 +1485,7 @@ spec:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
- More info: https://examples.k8s.io/volumes/iscsi/README.md
+ More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
properties:
chapAuthDiscovery:
description: chapAuthDiscovery defines whether support iSCSI
@@ -1913,6 +1905,111 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ podCertificate:
+ description: |-
+ Projects an auto-rotating credential bundle (private key and certificate
+ chain) that the pod can use either as a TLS client or server.
+
+ Kubelet generates a private key and uses it to send a
+ PodCertificateRequest to the named signer. Once the signer approves the
+ request and issues a certificate chain, Kubelet writes the key and
+ certificate chain to the pod filesystem. The pod does not start until
+ certificates have been issued for each podCertificate projected volume
+ source in its spec.
+
+ Kubelet will begin trying to rotate the certificate at the time indicated
+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+ timestamp.
+
+ Kubelet can write a single file, indicated by the credentialBundlePath
+ field, or separate files, indicated by the keyPath and
+ certificateChainPath fields.
+
+ The credential bundle is a single file in PEM format. The first PEM
+ entry is the private key (in PKCS#8 format), and the remaining PEM
+ entries are the certificate chain issued by the signer (typically,
+ signers will return their certificate chain in leaf-to-root order).
+
+ Prefer using the credential bundle format, since your application code
+ can read it atomically. If you use keyPath and certificateChainPath,
+ your application must make two separate file reads. If these coincide
+ with a certificate rotation, it is possible that the private key and leaf
+ certificate you read may not correspond to each other. Your application
+ will need to check for this condition, and re-read until they are
+ consistent.
+
+ The named signer controls chooses the format of the certificate it
+ issues; consult the signer implementation's documentation to learn how to
+ use the certificates it issues.
+ properties:
+ certificateChainPath:
+ description: |-
+ Write the certificate chain at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ credentialBundlePath:
+ description: |-
+ Write the credential bundle at this path in the projected volume.
+
+ The credential bundle is a single file that contains multiple PEM blocks.
+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+ key.
+
+ The remaining blocks are CERTIFICATE blocks, containing the issued
+ certificate chain from the signer (leaf and any intermediates).
+
+ Using credentialBundlePath lets your Pod's application code make a single
+ atomic read that retrieves a consistent key and certificate chain. If you
+ project them to separate files, your application code will need to
+ additionally check that the leaf certificate was issued to the key.
+ type: string
+ keyPath:
+ description: |-
+ Write the key at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ keyType:
+ description: |-
+ The type of keypair Kubelet will generate for the pod.
+
+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+ "ECDSAP521", and "ED25519".
+ type: string
+ maxExpirationSeconds:
+ description: |-
+ maxExpirationSeconds is the maximum lifetime permitted for the
+ certificate.
+
+ Kubelet copies this value verbatim into the PodCertificateRequests it
+ generates for this projection.
+
+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+ will reject values shorter than 3600 (1 hour). The maximum allowable
+ value is 7862400 (91 days).
+
+ The signer implementation is then free to issue a certificate with any
+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+ seconds (1 hour). This constraint is enforced by kube-apiserver.
+ `kubernetes.io` signers will never issue certificates with a lifetime
+ longer than 24 hours.
+ format: int32
+ type: integer
+ signerName:
+ description: Kubelet's generated CSRs will be
+ addressed to this signer.
+ type: string
+ required:
+ - keyType
+ - signerName
+ type: object
secret:
description: secret information about the secret data
to project
@@ -2047,7 +2144,6 @@ spec:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
- More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
description: |-
@@ -2614,7 +2710,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2629,7 +2724,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2795,7 +2889,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2810,7 +2903,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2903,8 +2995,8 @@ spec:
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
@@ -2973,7 +3065,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -2988,7 +3079,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3154,7 +3244,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3169,7 +3258,6 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -3454,7 +3542,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -4259,7 +4347,7 @@ spec:
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
- This is an alpha field and requires enabling the
+ This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
@@ -4731,7 +4819,6 @@ spec:
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
@@ -4742,7 +4829,6 @@ spec:
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
- This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
index 70c3437..ef10089 100644
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -15,6 +15,7 @@ spec:
capabilities:
drop:
- "ALL"
+ runAsNonRoot: true
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
args:
- "--secure-listen-address=0.0.0.0:8443"
diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml
index f6f5891..616b892 100644
--- a/config/default/manager_config_patch.yaml
+++ b/config/default/manager_config_patch.yaml
@@ -8,3 +8,9 @@ spec:
spec:
containers:
- name: manager
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ runAsNonRoot: true
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
index a8803b5..6fbcbd3 100644
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -5,4 +5,4 @@ kind: Kustomization
images:
- name: controller
newName: progressofficial/marklogic-operator-kubernetes
- newTag: 1.0.0
+ newTag: 1.1.0
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 2bfb5c2..cd0b81c 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -77,6 +77,7 @@ spec:
capabilities:
drop:
- "ALL"
+ runAsNonRoot: true
livenessProbe:
httpGet:
path: /healthz
diff --git a/go.mod b/go.mod
index beec450..3ac62e5 100644
--- a/go.mod
+++ b/go.mod
@@ -1,89 +1,100 @@
module github.com/marklogic/marklogic-operator-kubernetes
-go 1.23.6
+go 1.24.9
require (
github.com/cisco-open/k8s-objectmatcher v1.10.0
- github.com/go-logr/logr v1.4.2
- github.com/onsi/ginkgo/v2 v2.22.2
- github.com/onsi/gomega v1.36.2
- github.com/tidwall/gjson v1.17.3
- k8s.io/api v0.32.1
- k8s.io/apiextensions-apiserver v0.32.1
- k8s.io/apimachinery v0.32.1
- k8s.io/client-go v0.32.1
- sigs.k8s.io/controller-runtime v0.20.1
+ github.com/go-logr/logr v1.4.3
+ github.com/onsi/ginkgo/v2 v2.27.1
+ github.com/onsi/gomega v1.38.2
+ github.com/tidwall/gjson v1.18.0
+ k8s.io/api v0.34.1
+ k8s.io/apiextensions-apiserver v0.34.1
+ k8s.io/apimachinery v0.34.1
+ k8s.io/client-go v0.34.1
+ sigs.k8s.io/controller-runtime v0.22.3
sigs.k8s.io/e2e-framework v0.6.0
)
require (
emperror.dev/errors v0.8.1 // indirect
+ github.com/Masterminds/semver/v3 v3.4.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
- github.com/emicklei/go-restful/v3 v3.12.1 // indirect
+ github.com/emicklei/go-restful/v3 v3.13.0 // indirect
github.com/evanphx/json-patch v5.9.11+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.9.11 // indirect
- github.com/fsnotify/fsnotify v1.8.0 // indirect
- github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+ github.com/fsnotify/fsnotify v1.9.0 // indirect
+ github.com/fxamacker/cbor/v2 v2.9.0 // indirect
github.com/go-logr/zapr v1.3.0 // indirect
- github.com/go-openapi/jsonpointer v0.21.0 // indirect
- github.com/go-openapi/jsonreference v0.21.0 // indirect
- github.com/go-openapi/swag v0.23.0 // indirect
+ github.com/go-openapi/jsonpointer v0.22.1 // indirect
+ github.com/go-openapi/jsonreference v0.21.2 // indirect
+ github.com/go-openapi/swag v0.25.1 // indirect
+ github.com/go-openapi/swag/cmdutils v0.25.1 // indirect
+ github.com/go-openapi/swag/conv v0.25.1 // indirect
+ github.com/go-openapi/swag/fileutils v0.25.1 // indirect
+ github.com/go-openapi/swag/jsonname v0.25.1 // indirect
+ github.com/go-openapi/swag/jsonutils v0.25.1 // indirect
+ github.com/go-openapi/swag/loading v0.25.1 // indirect
+ github.com/go-openapi/swag/mangling v0.25.1 // indirect
+ github.com/go-openapi/swag/netutils v0.25.1 // indirect
+ github.com/go-openapi/swag/stringutils v0.25.1 // indirect
+ github.com/go-openapi/swag/typeutils v0.25.1 // indirect
+ github.com/go-openapi/swag/yamlutils v0.25.1 // indirect
github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
- github.com/golang/protobuf v1.5.4 // indirect
github.com/google/btree v1.1.3 // indirect
- github.com/google/gnostic-models v0.6.9 // indirect
- github.com/google/go-cmp v0.6.0 // indirect
- github.com/google/gofuzz v1.2.0 // indirect
- github.com/google/pprof v0.0.0-20250202011525-fc3143867406 // indirect
+ github.com/google/gnostic-models v0.7.0 // indirect
+ github.com/google/go-cmp v0.7.0 // indirect
+ github.com/google/pprof v0.0.0-20251007162407-5df77e3f7d1d // indirect
github.com/google/uuid v1.6.0 // indirect
- github.com/gorilla/websocket v1.5.3 // indirect
- github.com/inconshreveable/mousetrap v1.1.0 // indirect
- github.com/josharian/intern v1.0.0 // indirect
+ github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
github.com/json-iterator/go v1.1.12 // indirect
- github.com/klauspost/compress v1.17.11 // indirect
- github.com/mailru/easyjson v0.9.0 // indirect
+ github.com/klauspost/compress v1.18.1 // indirect
github.com/moby/spdystream v0.5.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
- github.com/modern-go/reflect2 v1.0.2 // indirect
+ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
github.com/pkg/errors v0.9.1 // indirect
- github.com/prometheus/client_golang v1.20.5 // indirect
- github.com/prometheus/client_model v0.6.1 // indirect
- github.com/prometheus/common v0.62.0 // indirect
- github.com/prometheus/procfs v0.15.1 // indirect
- github.com/spf13/cobra v1.8.1 // indirect
- github.com/spf13/pflag v1.0.6 // indirect
+ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+ github.com/prometheus/client_golang v1.23.2 // indirect
+ github.com/prometheus/client_model v0.6.2 // indirect
+ github.com/prometheus/common v0.67.1 // indirect
+ github.com/prometheus/procfs v0.19.1 // indirect
+ github.com/spf13/pflag v1.0.10 // indirect
github.com/tidwall/match v1.1.1 // indirect
- github.com/tidwall/pretty v1.2.0 // indirect
- github.com/vladimirvivien/gexe v0.4.1 // indirect
+ github.com/tidwall/pretty v1.2.1 // indirect
+ github.com/vladimirvivien/gexe v0.5.0 // indirect
github.com/x448/float16 v0.8.4 // indirect
- go.opentelemetry.io/otel v1.34.0 // indirect
- go.opentelemetry.io/otel/trace v1.34.0 // indirect
+ go.opentelemetry.io/otel v1.38.0 // indirect
+ go.opentelemetry.io/otel/trace v1.38.0 // indirect
+ go.uber.org/automaxprocs v1.6.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
- golang.org/x/net v0.34.0 // indirect
- golang.org/x/oauth2 v0.26.0 // indirect
- golang.org/x/sync v0.11.0 // indirect
- golang.org/x/sys v0.30.0 // indirect
- golang.org/x/term v0.29.0 // indirect
- golang.org/x/text v0.22.0 // indirect
- golang.org/x/time v0.10.0 // indirect
- golang.org/x/tools v0.29.0 // indirect
- gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
- google.golang.org/protobuf v1.36.4 // indirect
- gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+ go.yaml.in/yaml/v2 v2.4.3 // indirect
+ go.yaml.in/yaml/v3 v3.0.4 // indirect
+ golang.org/x/mod v0.29.0 // indirect
+ golang.org/x/net v0.46.0 // indirect
+ golang.org/x/oauth2 v0.32.0 // indirect
+ golang.org/x/sync v0.17.0 // indirect
+ golang.org/x/sys v0.37.0 // indirect
+ golang.org/x/term v0.36.0 // indirect
+ golang.org/x/text v0.30.0 // indirect
+ golang.org/x/time v0.14.0 // indirect
+ golang.org/x/tools v0.38.0 // indirect
+ gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
+ google.golang.org/protobuf v1.36.10 // indirect
+ gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
- gopkg.in/yaml.v3 v3.0.1 // indirect
- k8s.io/component-base v0.32.1 // indirect
+ k8s.io/component-base v0.34.1 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
- k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 // indirect
- k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
- sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
- sigs.k8s.io/structured-merge-diff/v4 v4.5.0 // indirect
- sigs.k8s.io/yaml v1.4.0 // indirect
+ k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+ k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+ sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+ sigs.k8s.io/randfill v1.0.0 // indirect
+ sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
+ sigs.k8s.io/yaml v1.6.0 // indirect
)
diff --git a/go.sum b/go.sum
index 1191d2f..935837a 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,7 @@
emperror.dev/errors v0.8.1 h1:UavXZ5cSX/4u9iyvH6aDcuGkVjeexUGJ7Ij7G4VfQT0=
emperror.dev/errors v0.8.1/go.mod h1:YcRvLPh626Ubn2xqtoprejnA5nFha+TJ+2vew48kWuE=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -10,128 +12,162 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cisco-open/k8s-objectmatcher v1.10.0 h1:1TdhMPqVaU+NqECqytAkRF1SFU0QIMqrqbNTnTl933A=
github.com/cisco-open/k8s-objectmatcher v1.10.0/go.mod h1:O/TFG3vW12jbKNQejpc8SGgSfujlaWYIOCZHcXeK514=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU=
-github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes=
+github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8=
github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
-github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
-github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
-github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs=
+github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
+github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M=
+github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk=
+github.com/gkampitakis/go-snaps v0.5.15 h1:amyJrvM1D33cPHwVrjo9jQxX8g/7E2wYdZ+01KS3zGE=
+github.com/gkampitakis/go-snaps v0.5.15/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
-github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
-github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
-github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
-github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
-github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
-github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
+github.com/go-openapi/jsonpointer v0.22.1 h1:sHYI1He3b9NqJ4wXLoJDKmUmHkWy/L7rtEo92JUxBNk=
+github.com/go-openapi/jsonpointer v0.22.1/go.mod h1:pQT9OsLkfz1yWoMgYFy4x3U5GY5nUlsOn1qSBH5MkCM=
+github.com/go-openapi/jsonreference v0.21.2 h1:Wxjda4M/BBQllegefXrY/9aq1fxBA8sI5M/lFU6tSWU=
+github.com/go-openapi/jsonreference v0.21.2/go.mod h1:pp3PEjIsJ9CZDGCNOyXIQxsNuroxm8FAJ/+quA0yKzQ=
+github.com/go-openapi/swag v0.25.1 h1:6uwVsx+/OuvFVPqfQmOOPsqTcm5/GkBhNwLqIR916n8=
+github.com/go-openapi/swag v0.25.1/go.mod h1:bzONdGlT0fkStgGPd3bhZf1MnuPkf2YAys6h+jZipOo=
+github.com/go-openapi/swag/cmdutils v0.25.1 h1:nDke3nAFDArAa631aitksFGj2omusks88GF1VwdYqPY=
+github.com/go-openapi/swag/cmdutils v0.25.1/go.mod h1:pdae/AFo6WxLl5L0rq87eRzVPm/XRHM3MoYgRMvG4A0=
+github.com/go-openapi/swag/conv v0.25.1 h1:+9o8YUg6QuqqBM5X6rYL/p1dpWeZRhoIt9x7CCP+he0=
+github.com/go-openapi/swag/conv v0.25.1/go.mod h1:Z1mFEGPfyIKPu0806khI3zF+/EUXde+fdeksUl2NiDs=
+github.com/go-openapi/swag/fileutils v0.25.1 h1:rSRXapjQequt7kqalKXdcpIegIShhTPXx7yw0kek2uU=
+github.com/go-openapi/swag/fileutils v0.25.1/go.mod h1:+NXtt5xNZZqmpIpjqcujqojGFek9/w55b3ecmOdtg8M=
+github.com/go-openapi/swag/jsonname v0.25.1 h1:Sgx+qbwa4ej6AomWC6pEfXrA6uP2RkaNjA9BR8a1RJU=
+github.com/go-openapi/swag/jsonname v0.25.1/go.mod h1:71Tekow6UOLBD3wS7XhdT98g5J5GR13NOTQ9/6Q11Zo=
+github.com/go-openapi/swag/jsonutils v0.25.1 h1:AihLHaD0brrkJoMqEZOBNzTLnk81Kg9cWr+SPtxtgl8=
+github.com/go-openapi/swag/jsonutils v0.25.1/go.mod h1:JpEkAjxQXpiaHmRO04N1zE4qbUEg3b7Udll7AMGTNOo=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.1 h1:DSQGcdB6G0N9c/KhtpYc71PzzGEIc/fZ1no35x4/XBY=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.1/go.mod h1:kjmweouyPwRUEYMSrbAidoLMGeJ5p6zdHi9BgZiqmsg=
+github.com/go-openapi/swag/loading v0.25.1 h1:6OruqzjWoJyanZOim58iG2vj934TysYVptyaoXS24kw=
+github.com/go-openapi/swag/loading v0.25.1/go.mod h1:xoIe2EG32NOYYbqxvXgPzne989bWvSNoWoyQVWEZicc=
+github.com/go-openapi/swag/mangling v0.25.1 h1:XzILnLzhZPZNtmxKaz/2xIGPQsBsvmCjrJOWGNz/ync=
+github.com/go-openapi/swag/mangling v0.25.1/go.mod h1:CdiMQ6pnfAgyQGSOIYnZkXvqhnnwOn997uXZMAd/7mQ=
+github.com/go-openapi/swag/netutils v0.25.1 h1:2wFLYahe40tDUHfKT1GRC4rfa5T1B4GWZ+msEFA4Fl4=
+github.com/go-openapi/swag/netutils v0.25.1/go.mod h1:CAkkvqnUJX8NV96tNhEQvKz8SQo2KF0f7LleiJwIeRE=
+github.com/go-openapi/swag/stringutils v0.25.1 h1:Xasqgjvk30eUe8VKdmyzKtjkVjeiXx1Iz0zDfMNpPbw=
+github.com/go-openapi/swag/stringutils v0.25.1/go.mod h1:JLdSAq5169HaiDUbTvArA2yQxmgn4D6h4A+4HqVvAYg=
+github.com/go-openapi/swag/typeutils v0.25.1 h1:rD/9HsEQieewNt6/k+JBwkxuAHktFtH3I3ysiFZqukA=
+github.com/go-openapi/swag/typeutils v0.25.1/go.mod h1:9McMC/oCdS4BKwk2shEB7x17P6HmMmA6dQRtAkSnNb8=
+github.com/go-openapi/swag/yamlutils v0.25.1 h1:mry5ez8joJwzvMbaTGLhw8pXUnhDK91oSJLDPF1bmGk=
+github.com/go-openapi/swag/yamlutils v0.25.1/go.mod h1:cm9ywbzncy3y6uPm/97ysW8+wZ09qsks+9RS8fLWKqg=
github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
+github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
-github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
-github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
+github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20250202011525-fc3143867406 h1:wlQI2cYY0BsWmmPPAnxfQ8SDW0S3Jasn+4B8kXFxprg=
-github.com/google/pprof v0.0.0-20250202011525-fc3143867406/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20251007162407-5df77e3f7d1d h1:KJIErDwbSHjnp/SGzE5ed8Aol7JsKiI5X7yWKAtzhM0=
+github.com/google/pprof v0.0.0-20251007162407-5df77e3f7d1d/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
-github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
-github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
-github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
+github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE=
+github.com/joshdk/go-junit v1.0.0/go.mod h1:TiiV0PqkaNfFXjEiyjWM3XXrhVyCa1K4Zfga6W52ung=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co=
+github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
-github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
+github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo=
+github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg=
+github.com/mfridman/tparse v0.18.0 h1:wh6dzOKaIwkUGyKgOntDW4liXSo37qg5AXbIhkMV3vE=
+github.com/mfridman/tparse v0.18.0/go.mod h1:gEvqZTuCgEhPbYk/2lS3Kcxg1GmTxxU7kTC8DvP0i/A=
github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/ginkgo/v2 v2.22.2 h1:/3X8Panh8/WwhU/3Ssa6rCKqPLuAkVY2I0RoyDLySlU=
-github.com/onsi/ginkgo/v2 v2.22.2/go.mod h1:oeMosUL+8LtarXBHu/c0bx2D/K9zyQ6uX3cTyztHwsk=
-github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
-github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
+github.com/onsi/ginkgo/v2 v2.27.1 h1:0LJC8MpUSQnfnp4n/3W3GdlmJP3ENGF0ZPzjQGLPP7s=
+github.com/onsi/ginkgo/v2 v2.27.1/go.mod h1:wmy3vCqiBjirARfVhAqFpYt8uvX0yaFe+GudAqqcCqA=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
-github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
-github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
-github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
+github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.67.1 h1:OTSON1P4DNxzTg4hmKCc37o4ZAZDv0cfXLkOt0oEowI=
+github.com/prometheus/common v0.67.1/go.mod h1:RpmT9v35q2Y+lsieQsdOh5sXZ6ajUGC8NjZAmr8vb0Q=
+github.com/prometheus/procfs v0.19.1 h1:QVtROpTkphuXuNlnCv3m1ut3JytkXHtQ3xvck/YmzMM=
+github.com/prometheus/procfs v0.19.1/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tidwall/gjson v1.17.3 h1:bwWLZU7icoKRG+C+0PNwIKC6FCJO/Q3p2pZvuP0jN94=
-github.com/tidwall/gjson v1.17.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
+github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
-github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
-github.com/vladimirvivien/gexe v0.4.1 h1:W9gWkp8vSPjDoXDu04Yp4KljpVMaSt8IQuHswLDd5LY=
-github.com/vladimirvivien/gexe v0.4.1/go.mod h1:3gjgTqE2c0VyHnU5UOIwk7gyNzZDGulPb/DJPgcw64E=
+github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
+github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
+github.com/vladimirvivien/gexe v0.5.0 h1:AWBVaYnrTsGYBktXvcO0DfWPeSiZxn6mnQ5nvL+A1/A=
+github.com/vladimirvivien/gexe v0.5.0/go.mod h1:3gjgTqE2c0VyHnU5UOIwk7gyNzZDGulPb/DJPgcw64E=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
-go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
-go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
-go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
@@ -139,83 +175,91 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
-golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
-golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
-golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
+golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
-golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
-golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
+golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
-golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4=
-golang.org/x/time v0.10.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
+golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE=
-golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
-gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
-google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
-google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0=
+gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc=
-k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k=
-k8s.io/apiextensions-apiserver v0.32.1 h1:hjkALhRUeCariC8DiVmb5jj0VjIc1N0DREP32+6UXZw=
-k8s.io/apiextensions-apiserver v0.32.1/go.mod h1:sxWIGuGiYov7Io1fAS2X06NjMIk5CbRHc2StSmbaQto=
-k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs=
-k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU=
-k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg=
-k8s.io/component-base v0.32.1 h1:/5IfJ0dHIKBWysGV0yKTFfacZ5yNV1sulPh3ilJjRZk=
-k8s.io/component-base v0.32.1/go.mod h1:j1iMMHi/sqAHeG5z+O9BFNCF698a1u0186zkjMZQ28w=
+k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM=
+k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk=
+k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI=
+k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc=
+k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4=
+k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
+k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY=
+k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8=
+k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A=
+k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 h1:hcha5B1kVACrLujCKLbr8XWMxCxzQx42DY8QKYJrDLg=
-k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7/go.mod h1:GewRfANuJ70iYzvn+i4lezLDAFzvjxZYK1gn1lWcfas=
-k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
-k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/controller-runtime v0.20.1 h1:JbGMAG/X94NeM3xvjenVUaBjy6Ui4Ogd/J5ZtjZnHaE=
-sigs.k8s.io/controller-runtime v0.20.1/go.mod h1:BrP3w158MwvB3ZbNpaAcIKkHQ7YGpYnzpoSTZ8E14WU=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/controller-runtime v0.22.3 h1:I7mfqz/a/WdmDCEnXmSPm8/b/yRTy6JsKKENTijTq8Y=
+sigs.k8s.io/controller-runtime v0.22.3/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8=
sigs.k8s.io/e2e-framework v0.6.0 h1:p7hFzHnLKO7eNsWGI2AbC1Mo2IYxidg49BiT4njxkrM=
sigs.k8s.io/e2e-framework v0.6.0/go.mod h1:IREnCHnKgRCioLRmNi0hxSJ1kJ+aAdjEKK/gokcZu4k=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
-sigs.k8s.io/structured-merge-diff/v4 v4.5.0 h1:nbCitCK2hfnhyiKo6uf2HxUPTCodY6Qaf85SbDIaMBk=
-sigs.k8s.io/structured-merge-diff/v4 v4.5.0/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
-sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
-sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
+sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
diff --git a/internal/controller/marklogiccluster_controller.go b/internal/controller/marklogiccluster_controller.go
index 2766e77..3ce724c 100644
--- a/internal/controller/marklogiccluster_controller.go
+++ b/internal/controller/marklogiccluster_controller.go
@@ -28,10 +28,11 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/log"
+ "reflect"
+
"github.com/go-logr/logr"
marklogicv1 "github.com/marklogic/marklogic-operator-kubernetes/api/v1"
"github.com/marklogic/marklogic-operator-kubernetes/pkg/k8sutil"
- "reflect"
"sigs.k8s.io/controller-runtime/pkg/event"
"sigs.k8s.io/controller-runtime/pkg/predicate"
)
diff --git a/internal/controller/marklogicgroup_controller.go b/internal/controller/marklogicgroup_controller.go
index 0c02ba8..baf4c29 100644
--- a/internal/controller/marklogicgroup_controller.go
+++ b/internal/controller/marklogicgroup_controller.go
@@ -19,6 +19,8 @@ package controller
import (
"context"
+ "reflect"
+
"github.com/go-logr/logr"
marklogicv1 "github.com/marklogic/marklogic-operator-kubernetes/api/v1"
"github.com/marklogic/marklogic-operator-kubernetes/pkg/k8sutil"
@@ -27,7 +29,6 @@ import (
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/client-go/tools/record"
- "reflect"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/event"
diff --git a/pkg/k8sutil/haProxy.go b/pkg/k8sutil/haProxy.go
index e848bc4..82ffacc 100644
--- a/pkg/k8sutil/haProxy.go
+++ b/pkg/k8sutil/haProxy.go
@@ -6,6 +6,7 @@ import (
"sort"
"context"
+
"github.com/cisco-open/k8s-objectmatcher/patch"
marklogicv1 "github.com/marklogic/marklogic-operator-kubernetes/api/v1"
"github.com/marklogic/marklogic-operator-kubernetes/pkg/result"
@@ -128,6 +129,10 @@ func (cc *ClusterContext) ReconcileHAProxy() result.ReconcileResult {
patch.IgnoreStatusFields(),
patch.IgnoreVolumeClaimTemplateTypeMetaAndStatus(),
patch.IgnoreField("kind"))
+ if err != nil {
+ logger.Error(err, "Failed to calculate HAProxy Deployment patch")
+ return result.Error(err)
+ }
if haproxyDeploymentDef.Spec.Template.Annotations == nil {
haproxyDeploymentDef.Spec.Template.Annotations = make(map[string]string)
}
diff --git a/pkg/k8sutil/haProxyHelper.go b/pkg/k8sutil/haProxyHelper.go
index 6ede799..453bcba 100644
--- a/pkg/k8sutil/haProxyHelper.go
+++ b/pkg/k8sutil/haProxyHelper.go
@@ -87,7 +87,7 @@ func generateHAProxyConfig(ctx context.Context, cr *marklogicv1.MarklogicCluster
continue
}
- if !config.IsPathBased && group.HAProxy != nil && group.HAProxy.PathBasedRouting != nil && *group.HAProxy.PathBasedRouting == true {
+ if !config.IsPathBased && group.HAProxy != nil && group.HAProxy.PathBasedRouting != nil && *group.HAProxy.PathBasedRouting {
config.IsPathBased = true
}
@@ -214,8 +214,8 @@ frontend marklogic-pathbased-frontend
continue
}
data = &HAProxyTemplate{
- PortNumber: int(babackend.Port),
- TargetPortNumber: int(babackend.TargetPort),
+ PortNumber: babackend.Port,
+ TargetPortNumber: babackend.TargetPort,
Path: babackend.Path,
IsPathBased: babackend.IsPathBased,
BackendName: babackend.BackendName,
@@ -236,8 +236,8 @@ frontend {{ .FrontendName }}
data = &HAProxyTemplate{
FrontendName: frontend.FrontendName,
BackendName: frontend.BackendName,
- PortNumber: int(frontend.Port),
- TargetPortNumber: int(frontend.TargetPort),
+ PortNumber: frontend.Port,
+ TargetPortNumber: frontend.TargetPort,
SslCert: getSSLConfig(cr.Spec.HAProxy.Tls),
}
result += parseTemplateToString(frontEndDef, data) + "\n"
@@ -369,7 +369,7 @@ listen marklogic-TCP-{{.TcpName}}
mode tcp
balance leastconn`
data := &HAProxyTemplate{
- PortNumber: int(tcpConfigSlice[0].Port),
+ PortNumber: tcpConfigSlice[0].Port,
TcpName: tcpConfigSlice[0].TcpName,
SslCert: getSSLConfig(cr.Spec.HAProxy.Tls),
}
@@ -378,7 +378,7 @@ listen marklogic-TCP-{{.TcpName}}
for _, tcpConfig := range tcpConfigSlice {
for i := 0; i < tcpConfig.Replicas; i++ {
data := &HAProxyTemplate{
- PortNumber: int(tcpConfig.TargetPort),
+ PortNumber: tcpConfig.TargetPort,
PodName: tcpConfig.PodName,
Index: i,
ServiceName: name,
diff --git a/pkg/k8sutil/ingress.go b/pkg/k8sutil/ingress.go
index df2d34a..37eab20 100644
--- a/pkg/k8sutil/ingress.go
+++ b/pkg/k8sutil/ingress.go
@@ -36,9 +36,7 @@ func generateIngressDef(ingressMeta metav1.ObjectMeta, ownerRef metav1.OwnerRefe
},
})
}
- for _, additionalHost := range cr.Spec.HAProxy.Ingress.AdditionalHosts {
- ingressRules = append(ingressRules, additionalHost)
- }
+ ingressRules = append(ingressRules, cr.Spec.HAProxy.Ingress.AdditionalHosts...)
ingressSpec := networkingv1.IngressSpec{
IngressClassName: &cr.Spec.HAProxy.Ingress.IngressClassName,
@@ -128,6 +126,8 @@ func (cc *ClusterContext) ReconcileIngress() result.ReconcileResult {
return result.Continue()
}
+// Deprecated: createIngress is currently unused but kept for future use
+// nolint:unused
func (cc *ClusterContext) createIngress(namespace string) error {
logger := cc.ReqLogger
client := cc.Client
diff --git a/pkg/k8sutil/marklogicServer.go b/pkg/k8sutil/marklogicServer.go
index 838fec5..eeaa6e7 100644
--- a/pkg/k8sutil/marklogicServer.go
+++ b/pkg/k8sutil/marklogicServer.go
@@ -188,7 +188,7 @@ func (cc *ClusterContext) ReconsileMarklogicCluster() (reconcile.Result, error)
}
logger.Info("Created new MarkLogic Server resource")
- result.Done().Output()
+ _, _ = result.Done().Output()
} else {
logger.Error(err, "Failed to get MarkLogicGroup resource")
}
diff --git a/pkg/k8sutil/networkPolicy.go b/pkg/k8sutil/networkPolicy.go
index 56578da..4a92880 100644
--- a/pkg/k8sutil/networkPolicy.go
+++ b/pkg/k8sutil/networkPolicy.go
@@ -33,8 +33,7 @@ func generateNetworkPolicyDef(networkPolicyMeta metav1.ObjectMeta, ownerRef meta
func (cc *ClusterContext) getNetworkPolicy(namespace string, networkPolicyName string) (*networkingv1.NetworkPolicy, error) {
logger := cc.ReqLogger
- var networkPolicy *networkingv1.NetworkPolicy
- networkPolicy = &networkingv1.NetworkPolicy{}
+ networkPolicy := &networkingv1.NetworkPolicy{}
err := cc.Client.Get(cc.Ctx, types.NamespacedName{Name: networkPolicyName, Namespace: namespace}, networkPolicy)
if err != nil {
logger.Info("MarkLogic NetworkPolicy get action failed")
@@ -99,6 +98,8 @@ func (cc *ClusterContext) ReconcileNetworkPolicy() result.ReconcileResult {
return result.Continue()
}
+// Deprecated: createNetworkPolicy is currently unused but kept for future use
+// nolint:unused
func (oc *OperatorContext) createNetworkPolicy(namespace string, networkPolicy *networkingv1.NetworkPolicy) error {
logger := oc.ReqLogger
client := oc.Client
diff --git a/pkg/k8sutil/service.go b/pkg/k8sutil/service.go
index 1a1569d..fc43ab7 100644
--- a/pkg/k8sutil/service.go
+++ b/pkg/k8sutil/service.go
@@ -72,8 +72,7 @@ func generateServicePorts() []corev1.ServicePort {
}
func generateServiceDef(serviceMeta metav1.ObjectMeta, ownerRef metav1.OwnerReference, params serviceParameters) *corev1.Service {
- var svcSpec corev1.ServiceSpec
- svcSpec = corev1.ServiceSpec{
+ svcSpec := corev1.ServiceSpec{
Selector: getSelectorLabels(params.StsName),
Ports: append(params.Ports, generateServicePorts()...),
}
@@ -101,8 +100,7 @@ func (oc *OperatorContext) generateService(svcName string, cr *marklogicv1.Markl
for key, value := range groupLabels {
labels[key] = value
}
- var svcParams serviceParameters = serviceParameters{}
- svcParams = generateServiceParams(cr)
+ svcParams := generateServiceParams(cr)
svcObjectMeta := generateObjectMeta(svcName, cr.Namespace, labels, svcParams.Annotations)
service := generateServiceDef(svcObjectMeta, marklogicServerAsOwner(cr), svcParams)
return service
diff --git a/pkg/k8sutil/statefulset.go b/pkg/k8sutil/statefulset.go
index 29d57c2..508b124 100644
--- a/pkg/k8sutil/statefulset.go
+++ b/pkg/k8sutil/statefulset.go
@@ -402,10 +402,16 @@ func generateContainerParams(cr *marklogicv1.MarklogicGroup) containerParameters
Tls: cr.Spec.Tls,
AdditionalVolumes: cr.Spec.AdditionalVolumes,
AdditionalVolumeMounts: cr.Spec.AdditionalVolumeMounts,
- SecretName: cr.Spec.SecretName,
Persistence: cr.Spec.Persistence,
}
+ // Set SecretName with fallback to default if not specified
+ if cr.Spec.SecretName != "" {
+ containerParams.SecretName = cr.Spec.SecretName
+ } else {
+ containerParams.SecretName = cr.ObjectMeta.Name + "-admin"
+ }
+
if cr.Spec.License != nil {
containerParams.LicenseKey = cr.Spec.License.Key
containerParams.Licensee = cr.Spec.License.Licensee
diff --git a/test/e2e/2_marklogic_cluster_test.go b/test/e2e/2_marklogic_cluster_test.go
index f021866..0ffaf21 100644
--- a/test/e2e/2_marklogic_cluster_test.go
+++ b/test/e2e/2_marklogic_cluster_test.go
@@ -184,7 +184,7 @@ func TestMarklogicCluster(t *testing.T) {
if err != nil {
t.Fatalf("Failed to execute kubectl command grafana in pod: %v", err)
}
- if !(strings.Contains(string(output), "Datasource added") && strings.Contains(string(output), "Loki")) {
+ if !(strings.Contains(output, "Datasource added") && strings.Contains(output, "Loki")) {
t.Fatal("Failed to create datasource for Grafana")
} else {
t.Logf("Datasource created successfully: %s", output)
@@ -322,7 +322,7 @@ func TestMarklogicCluster(t *testing.T) {
}
t.Logf("Query datasource response: %s", output)
// Verify MarkLogic logs in Grafana using Loki and Fluent Bit
- if strings.Contains(string(output), "Starting MarkLogic Server") {
+ if strings.Contains(output, "Starting MarkLogic Server") {
t.Logf("Successfully found MarkLogic logs on attempt %d", attempt)
} else if attempt == maxRetries {
t.Fatalf("Failed to find MarkLogic logs in Grafana after %d attempts", maxRetries)
@@ -337,7 +337,7 @@ func TestMarklogicCluster(t *testing.T) {
if err != nil {
t.Fatalf("Failed to execute kubectl command in grafana pod: %v", err)
}
- if !strings.Contains(string(output), "Fluent Bit Dashboard") {
+ if !strings.Contains(output, "Fluent Bit Dashboard") {
t.Fatal("Failed to associate Fluent Bit as filter in Grafana dashboard")
}
return ctx
@@ -376,7 +376,7 @@ func TestMarklogicCluster(t *testing.T) {
feature.Assess("Verify Huge pages", func(ctx context.Context, t *testing.T, c *envconf.Config) context.Context {
podName := "node-0"
containerName := "marklogic-server"
- cmd := fmt.Sprintf("cat /var/opt/MarkLogic/Logs/ErrorLog.txt")
+ cmd := "cat /var/opt/MarkLogic/Logs/ErrorLog.txt"
output, err := utils.ExecCmdInPod(podName, mlNamespace, containerName, cmd)
if err != nil {
@@ -384,7 +384,7 @@ func TestMarklogicCluster(t *testing.T) {
}
expectedOutput := "Linux Huge Pages: detected 1280"
- if !strings.Contains(string(output), expectedOutput) {
+ if !strings.Contains(output, expectedOutput) {
t.Fatal("Huge Pages not configured for the MarLogic node")
}
return ctx
diff --git a/test/e2e/3_ml_cluster_ednode_test.go b/test/e2e/3_ml_cluster_ednode_test.go
index 5e872f5..2e816b0 100644
--- a/test/e2e/3_ml_cluster_ednode_test.go
+++ b/test/e2e/3_ml_cluster_ednode_test.go
@@ -146,7 +146,7 @@ func TestMlClusterWithEdnode(t *testing.T) {
if err != nil {
t.Fatalf("Failed to execute curl command in pod: %v", err)
}
- if !strings.Contains(string(output), "dnode") && !strings.Contains(string(output), "enode") {
+ if !strings.Contains(output, "dnode") && !strings.Contains(output, "enode") {
t.Fatal("Groups does not exists on MarkLogic cluster")
}
return ctx