diff --git a/config/applyconfigurations/config/v1/acceptrisk.go b/config/applyconfigurations/config/v1/acceptrisk.go
new file mode 100644
index 000000000..dba8a77ed
--- /dev/null
+++ b/config/applyconfigurations/config/v1/acceptrisk.go
@@ -0,0 +1,23 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// AcceptRiskApplyConfiguration represents a declarative configuration of the AcceptRisk type for use
+// with apply.
+type AcceptRiskApplyConfiguration struct {
+ Name *string `json:"name,omitempty"`
+}
+
+// AcceptRiskApplyConfiguration constructs a declarative configuration of the AcceptRisk type for use with
+// apply.
+func AcceptRisk() *AcceptRiskApplyConfiguration {
+ return &AcceptRiskApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *AcceptRiskApplyConfiguration) WithName(value string) *AcceptRiskApplyConfiguration {
+ b.Name = &value
+ return b
+}
diff --git a/config/applyconfigurations/config/v1/clusterversionstatus.go b/config/applyconfigurations/config/v1/clusterversionstatus.go
index e966cf424..4d44643d4 100644
--- a/config/applyconfigurations/config/v1/clusterversionstatus.go
+++ b/config/applyconfigurations/config/v1/clusterversionstatus.go
@@ -5,14 +5,15 @@ package v1
// ClusterVersionStatusApplyConfiguration represents a declarative configuration of the ClusterVersionStatus type for use
// with apply.
type ClusterVersionStatusApplyConfiguration struct {
- Desired *ReleaseApplyConfiguration `json:"desired,omitempty"`
- History []UpdateHistoryApplyConfiguration `json:"history,omitempty"`
- ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
- VersionHash *string `json:"versionHash,omitempty"`
- Capabilities *ClusterVersionCapabilitiesStatusApplyConfiguration `json:"capabilities,omitempty"`
- Conditions []ClusterOperatorStatusConditionApplyConfiguration `json:"conditions,omitempty"`
- AvailableUpdates []ReleaseApplyConfiguration `json:"availableUpdates,omitempty"`
- ConditionalUpdates []ConditionalUpdateApplyConfiguration `json:"conditionalUpdates,omitempty"`
+ Desired *ReleaseApplyConfiguration `json:"desired,omitempty"`
+ History []UpdateHistoryApplyConfiguration `json:"history,omitempty"`
+ ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+ VersionHash *string `json:"versionHash,omitempty"`
+ Capabilities *ClusterVersionCapabilitiesStatusApplyConfiguration `json:"capabilities,omitempty"`
+ Conditions []ClusterOperatorStatusConditionApplyConfiguration `json:"conditions,omitempty"`
+ AvailableUpdates []ReleaseApplyConfiguration `json:"availableUpdates,omitempty"`
+ ConditionalUpdates []ConditionalUpdateApplyConfiguration `json:"conditionalUpdates,omitempty"`
+ ConditionalUpdateRisks []ConditionalUpdateRiskApplyConfiguration `json:"conditionalUpdateRisks,omitempty"`
}
// ClusterVersionStatusApplyConfiguration constructs a declarative configuration of the ClusterVersionStatus type for use with
@@ -104,3 +105,16 @@ func (b *ClusterVersionStatusApplyConfiguration) WithConditionalUpdates(values .
}
return b
}
+
+// WithConditionalUpdateRisks adds the given value to the ConditionalUpdateRisks field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the ConditionalUpdateRisks field.
+func (b *ClusterVersionStatusApplyConfiguration) WithConditionalUpdateRisks(values ...*ConditionalUpdateRiskApplyConfiguration) *ClusterVersionStatusApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithConditionalUpdateRisks")
+ }
+ b.ConditionalUpdateRisks = append(b.ConditionalUpdateRisks, *values[i])
+ }
+ return b
+}
diff --git a/config/applyconfigurations/config/v1/conditionalupdate.go b/config/applyconfigurations/config/v1/conditionalupdate.go
index f183fc6e2..8bffb192c 100644
--- a/config/applyconfigurations/config/v1/conditionalupdate.go
+++ b/config/applyconfigurations/config/v1/conditionalupdate.go
@@ -10,6 +10,7 @@ import (
// with apply.
type ConditionalUpdateApplyConfiguration struct {
Release *ReleaseApplyConfiguration `json:"release,omitempty"`
+ RiskNames []string `json:"riskNames,omitempty"`
Risks []ConditionalUpdateRiskApplyConfiguration `json:"risks,omitempty"`
Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
}
@@ -28,6 +29,16 @@ func (b *ConditionalUpdateApplyConfiguration) WithRelease(value *ReleaseApplyCon
return b
}
+// WithRiskNames adds the given value to the RiskNames field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the RiskNames field.
+func (b *ConditionalUpdateApplyConfiguration) WithRiskNames(values ...string) *ConditionalUpdateApplyConfiguration {
+ for i := range values {
+ b.RiskNames = append(b.RiskNames, values[i])
+ }
+ return b
+}
+
// WithRisks adds the given value to the Risks field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Risks field.
diff --git a/config/applyconfigurations/config/v1/conditionalupdaterisk.go b/config/applyconfigurations/config/v1/conditionalupdaterisk.go
index 6debb6e62..fdfc14ebf 100644
--- a/config/applyconfigurations/config/v1/conditionalupdaterisk.go
+++ b/config/applyconfigurations/config/v1/conditionalupdaterisk.go
@@ -2,9 +2,14 @@
package v1
+import (
+ metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
// ConditionalUpdateRiskApplyConfiguration represents a declarative configuration of the ConditionalUpdateRisk type for use
// with apply.
type ConditionalUpdateRiskApplyConfiguration struct {
+ Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
URL *string `json:"url,omitempty"`
Name *string `json:"name,omitempty"`
Message *string `json:"message,omitempty"`
@@ -17,6 +22,19 @@ func ConditionalUpdateRisk() *ConditionalUpdateRiskApplyConfiguration {
return &ConditionalUpdateRiskApplyConfiguration{}
}
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *ConditionalUpdateRiskApplyConfiguration) WithConditions(values ...*metav1.ConditionApplyConfiguration) *ConditionalUpdateRiskApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithConditions")
+ }
+ b.Conditions = append(b.Conditions, *values[i])
+ }
+ return b
+}
+
// WithURL sets the URL field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the URL field is set to the value of the last call.
diff --git a/config/applyconfigurations/config/v1/oidcprovider.go b/config/applyconfigurations/config/v1/oidcprovider.go
index 7d9300367..4f5aec3a5 100644
--- a/config/applyconfigurations/config/v1/oidcprovider.go
+++ b/config/applyconfigurations/config/v1/oidcprovider.go
@@ -10,6 +10,7 @@ type OIDCProviderApplyConfiguration struct {
OIDCClients []OIDCClientConfigApplyConfiguration `json:"oidcClients,omitempty"`
ClaimMappings *TokenClaimMappingsApplyConfiguration `json:"claimMappings,omitempty"`
ClaimValidationRules []TokenClaimValidationRuleApplyConfiguration `json:"claimValidationRules,omitempty"`
+ UserValidationRules []TokenUserValidationRuleApplyConfiguration `json:"userValidationRules,omitempty"`
}
// OIDCProviderApplyConfiguration constructs a declarative configuration of the OIDCProvider type for use with
@@ -67,3 +68,16 @@ func (b *OIDCProviderApplyConfiguration) WithClaimValidationRules(values ...*Tok
}
return b
}
+
+// WithUserValidationRules adds the given value to the UserValidationRules field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the UserValidationRules field.
+func (b *OIDCProviderApplyConfiguration) WithUserValidationRules(values ...*TokenUserValidationRuleApplyConfiguration) *OIDCProviderApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithUserValidationRules")
+ }
+ b.UserValidationRules = append(b.UserValidationRules, *values[i])
+ }
+ return b
+}
diff --git a/config/applyconfigurations/config/v1/tokenclaimvalidationcelrule.go b/config/applyconfigurations/config/v1/tokenclaimvalidationcelrule.go
new file mode 100644
index 000000000..8dda73db1
--- /dev/null
+++ b/config/applyconfigurations/config/v1/tokenclaimvalidationcelrule.go
@@ -0,0 +1,32 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// TokenClaimValidationCELRuleApplyConfiguration represents a declarative configuration of the TokenClaimValidationCELRule type for use
+// with apply.
+type TokenClaimValidationCELRuleApplyConfiguration struct {
+ Expression *string `json:"expression,omitempty"`
+ Message *string `json:"message,omitempty"`
+}
+
+// TokenClaimValidationCELRuleApplyConfiguration constructs a declarative configuration of the TokenClaimValidationCELRule type for use with
+// apply.
+func TokenClaimValidationCELRule() *TokenClaimValidationCELRuleApplyConfiguration {
+ return &TokenClaimValidationCELRuleApplyConfiguration{}
+}
+
+// WithExpression sets the Expression field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Expression field is set to the value of the last call.
+func (b *TokenClaimValidationCELRuleApplyConfiguration) WithExpression(value string) *TokenClaimValidationCELRuleApplyConfiguration {
+ b.Expression = &value
+ return b
+}
+
+// WithMessage sets the Message field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Message field is set to the value of the last call.
+func (b *TokenClaimValidationCELRuleApplyConfiguration) WithMessage(value string) *TokenClaimValidationCELRuleApplyConfiguration {
+ b.Message = &value
+ return b
+}
diff --git a/config/applyconfigurations/config/v1/tokenclaimvalidationrule.go b/config/applyconfigurations/config/v1/tokenclaimvalidationrule.go
index 74e9f6109..c8b0c6005 100644
--- a/config/applyconfigurations/config/v1/tokenclaimvalidationrule.go
+++ b/config/applyconfigurations/config/v1/tokenclaimvalidationrule.go
@@ -9,8 +9,9 @@ import (
// TokenClaimValidationRuleApplyConfiguration represents a declarative configuration of the TokenClaimValidationRule type for use
// with apply.
type TokenClaimValidationRuleApplyConfiguration struct {
- Type *configv1.TokenValidationRuleType `json:"type,omitempty"`
- RequiredClaim *TokenRequiredClaimApplyConfiguration `json:"requiredClaim,omitempty"`
+ Type *configv1.TokenValidationRuleType `json:"type,omitempty"`
+ RequiredClaim *TokenRequiredClaimApplyConfiguration `json:"requiredClaim,omitempty"`
+ CEL *TokenClaimValidationCELRuleApplyConfiguration `json:"cel,omitempty"`
}
// TokenClaimValidationRuleApplyConfiguration constructs a declarative configuration of the TokenClaimValidationRule type for use with
@@ -34,3 +35,11 @@ func (b *TokenClaimValidationRuleApplyConfiguration) WithRequiredClaim(value *To
b.RequiredClaim = value
return b
}
+
+// WithCEL sets the CEL field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CEL field is set to the value of the last call.
+func (b *TokenClaimValidationRuleApplyConfiguration) WithCEL(value *TokenClaimValidationCELRuleApplyConfiguration) *TokenClaimValidationRuleApplyConfiguration {
+ b.CEL = value
+ return b
+}
diff --git a/config/applyconfigurations/config/v1/tokenissuer.go b/config/applyconfigurations/config/v1/tokenissuer.go
index 68f590abc..4c971d292 100644
--- a/config/applyconfigurations/config/v1/tokenissuer.go
+++ b/config/applyconfigurations/config/v1/tokenissuer.go
@@ -12,6 +12,7 @@ type TokenIssuerApplyConfiguration struct {
URL *string `json:"issuerURL,omitempty"`
Audiences []configv1.TokenAudience `json:"audiences,omitempty"`
CertificateAuthority *ConfigMapNameReferenceApplyConfiguration `json:"issuerCertificateAuthority,omitempty"`
+ DiscoveryURL *string `json:"discoveryURL,omitempty"`
}
// TokenIssuerApplyConfiguration constructs a declarative configuration of the TokenIssuer type for use with
@@ -45,3 +46,11 @@ func (b *TokenIssuerApplyConfiguration) WithCertificateAuthority(value *ConfigMa
b.CertificateAuthority = value
return b
}
+
+// WithDiscoveryURL sets the DiscoveryURL field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DiscoveryURL field is set to the value of the last call.
+func (b *TokenIssuerApplyConfiguration) WithDiscoveryURL(value string) *TokenIssuerApplyConfiguration {
+ b.DiscoveryURL = &value
+ return b
+}
diff --git a/config/applyconfigurations/config/v1/tokenuservalidationrule.go b/config/applyconfigurations/config/v1/tokenuservalidationrule.go
new file mode 100644
index 000000000..2aae5f3fe
--- /dev/null
+++ b/config/applyconfigurations/config/v1/tokenuservalidationrule.go
@@ -0,0 +1,32 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// TokenUserValidationRuleApplyConfiguration represents a declarative configuration of the TokenUserValidationRule type for use
+// with apply.
+type TokenUserValidationRuleApplyConfiguration struct {
+ Expression *string `json:"expression,omitempty"`
+ Message *string `json:"message,omitempty"`
+}
+
+// TokenUserValidationRuleApplyConfiguration constructs a declarative configuration of the TokenUserValidationRule type for use with
+// apply.
+func TokenUserValidationRule() *TokenUserValidationRuleApplyConfiguration {
+ return &TokenUserValidationRuleApplyConfiguration{}
+}
+
+// WithExpression sets the Expression field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Expression field is set to the value of the last call.
+func (b *TokenUserValidationRuleApplyConfiguration) WithExpression(value string) *TokenUserValidationRuleApplyConfiguration {
+ b.Expression = &value
+ return b
+}
+
+// WithMessage sets the Message field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Message field is set to the value of the last call.
+func (b *TokenUserValidationRuleApplyConfiguration) WithMessage(value string) *TokenUserValidationRuleApplyConfiguration {
+ b.Message = &value
+ return b
+}
diff --git a/config/applyconfigurations/config/v1/update.go b/config/applyconfigurations/config/v1/update.go
index 004d1bac2..d20e3ca42 100644
--- a/config/applyconfigurations/config/v1/update.go
+++ b/config/applyconfigurations/config/v1/update.go
@@ -13,6 +13,7 @@ type UpdateApplyConfiguration struct {
Version *string `json:"version,omitempty"`
Image *string `json:"image,omitempty"`
Force *bool `json:"force,omitempty"`
+ AcceptRisks []AcceptRiskApplyConfiguration `json:"acceptRisks,omitempty"`
}
// UpdateApplyConfiguration constructs a declarative configuration of the Update type for use with
@@ -52,3 +53,16 @@ func (b *UpdateApplyConfiguration) WithForce(value bool) *UpdateApplyConfigurati
b.Force = &value
return b
}
+
+// WithAcceptRisks adds the given value to the AcceptRisks field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the AcceptRisks field.
+func (b *UpdateApplyConfiguration) WithAcceptRisks(values ...*AcceptRiskApplyConfiguration) *UpdateApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithAcceptRisks")
+ }
+ b.AcceptRisks = append(b.AcceptRisks, *values[i])
+ }
+ return b
+}
diff --git a/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfig.go b/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfig.go
new file mode 100644
index 000000000..221728dca
--- /dev/null
+++ b/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfig.go
@@ -0,0 +1,263 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+ internal "github.com/openshift/client-go/config/applyconfigurations/internal"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+ managedfields "k8s.io/apimachinery/pkg/util/managedfields"
+ v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CRIOCredentialProviderConfigApplyConfiguration represents a declarative configuration of the CRIOCredentialProviderConfig type for use
+// with apply.
+type CRIOCredentialProviderConfigApplyConfiguration struct {
+ v1.TypeMetaApplyConfiguration `json:",inline"`
+ *v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+ Spec *CRIOCredentialProviderConfigSpecApplyConfiguration `json:"spec,omitempty"`
+ Status *CRIOCredentialProviderConfigStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// CRIOCredentialProviderConfig constructs a declarative configuration of the CRIOCredentialProviderConfig type for use with
+// apply.
+func CRIOCredentialProviderConfig(name string) *CRIOCredentialProviderConfigApplyConfiguration {
+ b := &CRIOCredentialProviderConfigApplyConfiguration{}
+ b.WithName(name)
+ b.WithKind("CRIOCredentialProviderConfig")
+ b.WithAPIVersion("config.openshift.io/v1alpha1")
+ return b
+}
+
+// ExtractCRIOCredentialProviderConfig extracts the applied configuration owned by fieldManager from
+// cRIOCredentialProviderConfig. If no managedFields are found in cRIOCredentialProviderConfig for fieldManager, a
+// CRIOCredentialProviderConfigApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// cRIOCredentialProviderConfig must be a unmodified CRIOCredentialProviderConfig API object that was retrieved from the Kubernetes API.
+// ExtractCRIOCredentialProviderConfig provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+// Experimental!
+func ExtractCRIOCredentialProviderConfig(cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, fieldManager string) (*CRIOCredentialProviderConfigApplyConfiguration, error) {
+ return extractCRIOCredentialProviderConfig(cRIOCredentialProviderConfig, fieldManager, "")
+}
+
+// ExtractCRIOCredentialProviderConfigStatus is the same as ExtractCRIOCredentialProviderConfig except
+// that it extracts the status subresource applied configuration.
+// Experimental!
+func ExtractCRIOCredentialProviderConfigStatus(cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, fieldManager string) (*CRIOCredentialProviderConfigApplyConfiguration, error) {
+ return extractCRIOCredentialProviderConfig(cRIOCredentialProviderConfig, fieldManager, "status")
+}
+
+func extractCRIOCredentialProviderConfig(cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, fieldManager string, subresource string) (*CRIOCredentialProviderConfigApplyConfiguration, error) {
+ b := &CRIOCredentialProviderConfigApplyConfiguration{}
+ err := managedfields.ExtractInto(cRIOCredentialProviderConfig, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig"), fieldManager, b, subresource)
+ if err != nil {
+ return nil, err
+ }
+ b.WithName(cRIOCredentialProviderConfig.Name)
+
+ b.WithKind("CRIOCredentialProviderConfig")
+ b.WithAPIVersion("config.openshift.io/v1alpha1")
+ return b, nil
+}
+func (b CRIOCredentialProviderConfigApplyConfiguration) IsApplyConfiguration() {}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithKind(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.TypeMetaApplyConfiguration.Kind = &value
+ return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithAPIVersion(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.TypeMetaApplyConfiguration.APIVersion = &value
+ return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithName(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.ObjectMetaApplyConfiguration.Name = &value
+ return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithGenerateName(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.ObjectMetaApplyConfiguration.GenerateName = &value
+ return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithNamespace(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.ObjectMetaApplyConfiguration.Namespace = &value
+ return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithUID(value types.UID) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.ObjectMetaApplyConfiguration.UID = &value
+ return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithResourceVersion(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.ObjectMetaApplyConfiguration.ResourceVersion = &value
+ return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithGeneration(value int64) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.ObjectMetaApplyConfiguration.Generation = &value
+ return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
+ return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
+ return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
+ return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithLabels(entries map[string]string) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
+ b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
+ }
+ for k, v := range entries {
+ b.ObjectMetaApplyConfiguration.Labels[k] = v
+ }
+ return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithAnnotations(entries map[string]string) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
+ b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
+ }
+ for k, v := range entries {
+ b.ObjectMetaApplyConfiguration.Annotations[k] = v
+ }
+ return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithOwnerReferences")
+ }
+ b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
+ }
+ return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithFinalizers(values ...string) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ for i := range values {
+ b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
+ }
+ return b
+}
+
+func (b *CRIOCredentialProviderConfigApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+ if b.ObjectMetaApplyConfiguration == nil {
+ b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+ }
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithSpec(value *CRIOCredentialProviderConfigSpecApplyConfiguration) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.Spec = value
+ return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithStatus(value *CRIOCredentialProviderConfigStatusApplyConfiguration) *CRIOCredentialProviderConfigApplyConfiguration {
+ b.Status = value
+ return b
+}
+
+// GetKind retrieves the value of the Kind field in the declarative configuration.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) GetKind() *string {
+ return b.TypeMetaApplyConfiguration.Kind
+}
+
+// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) GetAPIVersion() *string {
+ return b.TypeMetaApplyConfiguration.APIVersion
+}
+
+// GetName retrieves the value of the Name field in the declarative configuration.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) GetName() *string {
+ b.ensureObjectMetaApplyConfigurationExists()
+ return b.ObjectMetaApplyConfiguration.Name
+}
+
+// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) GetNamespace() *string {
+ b.ensureObjectMetaApplyConfigurationExists()
+ return b.ObjectMetaApplyConfiguration.Namespace
+}
diff --git a/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigspec.go b/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigspec.go
new file mode 100644
index 000000000..e6588c608
--- /dev/null
+++ b/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigspec.go
@@ -0,0 +1,29 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+)
+
+// CRIOCredentialProviderConfigSpecApplyConfiguration represents a declarative configuration of the CRIOCredentialProviderConfigSpec type for use
+// with apply.
+type CRIOCredentialProviderConfigSpecApplyConfiguration struct {
+ MatchImages []configv1alpha1.MatchImage `json:"matchImages,omitempty"`
+}
+
+// CRIOCredentialProviderConfigSpecApplyConfiguration constructs a declarative configuration of the CRIOCredentialProviderConfigSpec type for use with
+// apply.
+func CRIOCredentialProviderConfigSpec() *CRIOCredentialProviderConfigSpecApplyConfiguration {
+ return &CRIOCredentialProviderConfigSpecApplyConfiguration{}
+}
+
+// WithMatchImages adds the given value to the MatchImages field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the MatchImages field.
+func (b *CRIOCredentialProviderConfigSpecApplyConfiguration) WithMatchImages(values ...configv1alpha1.MatchImage) *CRIOCredentialProviderConfigSpecApplyConfiguration {
+ for i := range values {
+ b.MatchImages = append(b.MatchImages, values[i])
+ }
+ return b
+}
diff --git a/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigstatus.go b/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigstatus.go
new file mode 100644
index 000000000..a243b281d
--- /dev/null
+++ b/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigstatus.go
@@ -0,0 +1,32 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CRIOCredentialProviderConfigStatusApplyConfiguration represents a declarative configuration of the CRIOCredentialProviderConfigStatus type for use
+// with apply.
+type CRIOCredentialProviderConfigStatusApplyConfiguration struct {
+ Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+}
+
+// CRIOCredentialProviderConfigStatusApplyConfiguration constructs a declarative configuration of the CRIOCredentialProviderConfigStatus type for use with
+// apply.
+func CRIOCredentialProviderConfigStatus() *CRIOCredentialProviderConfigStatusApplyConfiguration {
+ return &CRIOCredentialProviderConfigStatusApplyConfiguration{}
+}
+
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *CRIOCredentialProviderConfigStatusApplyConfiguration) WithConditions(values ...*v1.ConditionApplyConfiguration) *CRIOCredentialProviderConfigStatusApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithConditions")
+ }
+ b.Conditions = append(b.Conditions, *values[i])
+ }
+ return b
+}
diff --git a/config/applyconfigurations/internal/internal.go b/config/applyconfigurations/internal/internal.go
index f00417a5c..2863e0d51 100644
--- a/config/applyconfigurations/internal/internal.go
+++ b/config/applyconfigurations/internal/internal.go
@@ -206,6 +206,12 @@ var schemaYAML = typed.YAMLObject(`types:
type:
scalar: string
default: ""
+- name: com.github.openshift.api.config.v1.AcceptRisk
+ map:
+ fields:
+ - name: name
+ type:
+ scalar: string
- name: com.github.openshift.api.config.v1.AlibabaCloudPlatformSpec
map:
elementType:
@@ -848,6 +854,14 @@ var schemaYAML = typed.YAMLObject(`types:
type:
namedType: com.github.openshift.api.config.v1.ClusterVersionCapabilitiesStatus
default: {}
+ - name: conditionalUpdateRisks
+ type:
+ list:
+ elementType:
+ namedType: com.github.openshift.api.config.v1.ConditionalUpdateRisk
+ elementRelationship: associative
+ keys:
+ - name
- name: conditionalUpdates
type:
list:
@@ -978,6 +992,12 @@ var schemaYAML = typed.YAMLObject(`types:
type:
namedType: com.github.openshift.api.config.v1.Release
default: {}
+ - name: riskNames
+ type:
+ list:
+ elementType:
+ scalar: string
+ elementRelationship: associative
- name: risks
type:
list:
@@ -989,6 +1009,14 @@ var schemaYAML = typed.YAMLObject(`types:
- name: com.github.openshift.api.config.v1.ConditionalUpdateRisk
map:
fields:
+ - name: conditions
+ type:
+ list:
+ elementType:
+ namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition
+ elementRelationship: associative
+ keys:
+ - type
- name: matchingRules
type:
list:
@@ -2751,6 +2779,14 @@ var schemaYAML = typed.YAMLObject(`types:
keys:
- componentNamespace
- componentName
+ - name: userValidationRules
+ type:
+ list:
+ elementType:
+ namedType: com.github.openshift.api.config.v1.TokenUserValidationRule
+ elementRelationship: associative
+ keys:
+ - expression
- name: com.github.openshift.api.config.v1.ObjectReference
map:
fields:
@@ -3689,9 +3725,22 @@ var schemaYAML = typed.YAMLObject(`types:
- name: expression
type:
scalar: string
+- name: com.github.openshift.api.config.v1.TokenClaimValidationCELRule
+ map:
+ fields:
+ - name: expression
+ type:
+ scalar: string
+ - name: message
+ type:
+ scalar: string
- name: com.github.openshift.api.config.v1.TokenClaimValidationRule
map:
fields:
+ - name: cel
+ type:
+ namedType: com.github.openshift.api.config.v1.TokenClaimValidationCELRule
+ default: {}
- name: requiredClaim
type:
namedType: com.github.openshift.api.config.v1.TokenRequiredClaim
@@ -3720,6 +3769,9 @@ var schemaYAML = typed.YAMLObject(`types:
elementType:
scalar: string
elementRelationship: associative
+ - name: discoveryURL
+ type:
+ scalar: string
- name: issuerCertificateAuthority
type:
namedType: com.github.openshift.api.config.v1.ConfigMapNameReference
@@ -3739,9 +3791,26 @@ var schemaYAML = typed.YAMLObject(`types:
type:
scalar: string
default: ""
+- name: com.github.openshift.api.config.v1.TokenUserValidationRule
+ map:
+ fields:
+ - name: expression
+ type:
+ scalar: string
+ - name: message
+ type:
+ scalar: string
- name: com.github.openshift.api.config.v1.Update
map:
fields:
+ - name: acceptRisks
+ type:
+ list:
+ elementType:
+ namedType: com.github.openshift.api.config.v1.AcceptRisk
+ elementRelationship: associative
+ keys:
+ - name
- name: architecture
type:
scalar: string
@@ -4149,6 +4218,46 @@ var schemaYAML = typed.YAMLObject(`types:
elementType:
namedType: __untyped_deduced_
elementRelationship: separable
+- name: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig
+ map:
+ fields:
+ - name: apiVersion
+ type:
+ scalar: string
+ - name: kind
+ type:
+ scalar: string
+ - name: metadata
+ type:
+ namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+ default: {}
+ - name: spec
+ type:
+ namedType: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec
+ default: {}
+ - name: status
+ type:
+ namedType: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus
+- name: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec
+ map:
+ fields:
+ - name: matchImages
+ type:
+ list:
+ elementType:
+ scalar: string
+ elementRelationship: associative
+- name: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus
+ map:
+ fields:
+ - name: conditions
+ type:
+ list:
+ elementType:
+ namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition
+ elementRelationship: associative
+ keys:
+ - type
- name: com.github.openshift.api.config.v1alpha1.ClusterImagePolicy
map:
fields:
diff --git a/config/applyconfigurations/utils.go b/config/applyconfigurations/utils.go
index 99cad8e20..fc7f4ac32 100644
--- a/config/applyconfigurations/utils.go
+++ b/config/applyconfigurations/utils.go
@@ -20,6 +20,8 @@ import (
func ForKind(kind schema.GroupVersionKind) interface{} {
switch kind {
// Group=config.openshift.io, Version=v1
+ case v1.SchemeGroupVersion.WithKind("AcceptRisk"):
+ return &configv1.AcceptRiskApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("AlibabaCloudPlatformStatus"):
return &configv1.AlibabaCloudPlatformStatusApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("AlibabaCloudResourceTag"):
@@ -430,6 +432,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &configv1.TokenClaimMappingsApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("TokenClaimOrExpressionMapping"):
return &configv1.TokenClaimOrExpressionMappingApplyConfiguration{}
+ case v1.SchemeGroupVersion.WithKind("TokenClaimValidationCELRule"):
+ return &configv1.TokenClaimValidationCELRuleApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("TokenClaimValidationRule"):
return &configv1.TokenClaimValidationRuleApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("TokenConfig"):
@@ -438,6 +442,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &configv1.TokenIssuerApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("TokenRequiredClaim"):
return &configv1.TokenRequiredClaimApplyConfiguration{}
+ case v1.SchemeGroupVersion.WithKind("TokenUserValidationRule"):
+ return &configv1.TokenUserValidationRuleApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("Update"):
return &configv1.UpdateApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("UpdateHistory"):
@@ -494,6 +500,12 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &configv1alpha1.ClusterMonitoringSpecApplyConfiguration{}
case v1alpha1.SchemeGroupVersion.WithKind("ContainerResource"):
return &configv1alpha1.ContainerResourceApplyConfiguration{}
+ case v1alpha1.SchemeGroupVersion.WithKind("CRIOCredentialProviderConfig"):
+ return &configv1alpha1.CRIOCredentialProviderConfigApplyConfiguration{}
+ case v1alpha1.SchemeGroupVersion.WithKind("CRIOCredentialProviderConfigSpec"):
+ return &configv1alpha1.CRIOCredentialProviderConfigSpecApplyConfiguration{}
+ case v1alpha1.SchemeGroupVersion.WithKind("CRIOCredentialProviderConfigStatus"):
+ return &configv1alpha1.CRIOCredentialProviderConfigStatusApplyConfiguration{}
case v1alpha1.SchemeGroupVersion.WithKind("EtcdBackupSpec"):
return &configv1alpha1.EtcdBackupSpecApplyConfiguration{}
case v1alpha1.SchemeGroupVersion.WithKind("GatherConfig"):
diff --git a/config/clientset/versioned/typed/config/v1alpha1/config_client.go b/config/clientset/versioned/typed/config/v1alpha1/config_client.go
index 2530a4a64..58cf671dc 100644
--- a/config/clientset/versioned/typed/config/v1alpha1/config_client.go
+++ b/config/clientset/versioned/typed/config/v1alpha1/config_client.go
@@ -13,6 +13,7 @@ import (
type ConfigV1alpha1Interface interface {
RESTClient() rest.Interface
BackupsGetter
+ CRIOCredentialProviderConfigsGetter
ClusterImagePoliciesGetter
ClusterMonitoringsGetter
ImagePoliciesGetter
@@ -28,6 +29,10 @@ func (c *ConfigV1alpha1Client) Backups() BackupInterface {
return newBackups(c)
}
+func (c *ConfigV1alpha1Client) CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInterface {
+ return newCRIOCredentialProviderConfigs(c)
+}
+
func (c *ConfigV1alpha1Client) ClusterImagePolicies() ClusterImagePolicyInterface {
return newClusterImagePolicies(c)
}
diff --git a/config/clientset/versioned/typed/config/v1alpha1/criocredentialproviderconfig.go b/config/clientset/versioned/typed/config/v1alpha1/criocredentialproviderconfig.go
new file mode 100644
index 000000000..3c4962155
--- /dev/null
+++ b/config/clientset/versioned/typed/config/v1alpha1/criocredentialproviderconfig.go
@@ -0,0 +1,62 @@
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ context "context"
+
+ configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+ applyconfigurationsconfigv1alpha1 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1"
+ scheme "github.com/openshift/client-go/config/clientset/versioned/scheme"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ gentype "k8s.io/client-go/gentype"
+)
+
+// CRIOCredentialProviderConfigsGetter has a method to return a CRIOCredentialProviderConfigInterface.
+// A group's client should implement this interface.
+type CRIOCredentialProviderConfigsGetter interface {
+ CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInterface
+}
+
+// CRIOCredentialProviderConfigInterface has methods to work with CRIOCredentialProviderConfig resources.
+type CRIOCredentialProviderConfigInterface interface {
+ Create(ctx context.Context, cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, opts v1.CreateOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+ Update(ctx context.Context, cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, opts v1.UpdateOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+ // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+ UpdateStatus(ctx context.Context, cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, opts v1.UpdateOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+ Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+ DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+ Get(ctx context.Context, name string, opts v1.GetOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+ List(ctx context.Context, opts v1.ListOptions) (*configv1alpha1.CRIOCredentialProviderConfigList, error)
+ Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+ Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *configv1alpha1.CRIOCredentialProviderConfig, err error)
+ Apply(ctx context.Context, cRIOCredentialProviderConfig *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration, opts v1.ApplyOptions) (result *configv1alpha1.CRIOCredentialProviderConfig, err error)
+ // Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+ ApplyStatus(ctx context.Context, cRIOCredentialProviderConfig *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration, opts v1.ApplyOptions) (result *configv1alpha1.CRIOCredentialProviderConfig, err error)
+ CRIOCredentialProviderConfigExpansion
+}
+
+// cRIOCredentialProviderConfigs implements CRIOCredentialProviderConfigInterface
+type cRIOCredentialProviderConfigs struct {
+ *gentype.ClientWithListAndApply[*configv1alpha1.CRIOCredentialProviderConfig, *configv1alpha1.CRIOCredentialProviderConfigList, *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration]
+}
+
+// newCRIOCredentialProviderConfigs returns a CRIOCredentialProviderConfigs
+func newCRIOCredentialProviderConfigs(c *ConfigV1alpha1Client) *cRIOCredentialProviderConfigs {
+ return &cRIOCredentialProviderConfigs{
+ gentype.NewClientWithListAndApply[*configv1alpha1.CRIOCredentialProviderConfig, *configv1alpha1.CRIOCredentialProviderConfigList, *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration](
+ "criocredentialproviderconfigs",
+ c.RESTClient(),
+ scheme.ParameterCodec,
+ "",
+ func() *configv1alpha1.CRIOCredentialProviderConfig {
+ return &configv1alpha1.CRIOCredentialProviderConfig{}
+ },
+ func() *configv1alpha1.CRIOCredentialProviderConfigList {
+ return &configv1alpha1.CRIOCredentialProviderConfigList{}
+ },
+ ),
+ }
+}
diff --git a/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
index dd57e4a2c..e807c2314 100644
--- a/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
+++ b/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
@@ -16,6 +16,10 @@ func (c *FakeConfigV1alpha1) Backups() v1alpha1.BackupInterface {
return newFakeBackups(c)
}
+func (c *FakeConfigV1alpha1) CRIOCredentialProviderConfigs() v1alpha1.CRIOCredentialProviderConfigInterface {
+ return newFakeCRIOCredentialProviderConfigs(c)
+}
+
func (c *FakeConfigV1alpha1) ClusterImagePolicies() v1alpha1.ClusterImagePolicyInterface {
return newFakeClusterImagePolicies(c)
}
diff --git a/config/clientset/versioned/typed/config/v1alpha1/fake/fake_criocredentialproviderconfig.go b/config/clientset/versioned/typed/config/v1alpha1/fake/fake_criocredentialproviderconfig.go
new file mode 100644
index 000000000..588ce179c
--- /dev/null
+++ b/config/clientset/versioned/typed/config/v1alpha1/fake/fake_criocredentialproviderconfig.go
@@ -0,0 +1,37 @@
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+ v1alpha1 "github.com/openshift/api/config/v1alpha1"
+ configv1alpha1 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1"
+ typedconfigv1alpha1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1"
+ gentype "k8s.io/client-go/gentype"
+)
+
+// fakeCRIOCredentialProviderConfigs implements CRIOCredentialProviderConfigInterface
+type fakeCRIOCredentialProviderConfigs struct {
+ *gentype.FakeClientWithListAndApply[*v1alpha1.CRIOCredentialProviderConfig, *v1alpha1.CRIOCredentialProviderConfigList, *configv1alpha1.CRIOCredentialProviderConfigApplyConfiguration]
+ Fake *FakeConfigV1alpha1
+}
+
+func newFakeCRIOCredentialProviderConfigs(fake *FakeConfigV1alpha1) typedconfigv1alpha1.CRIOCredentialProviderConfigInterface {
+ return &fakeCRIOCredentialProviderConfigs{
+ gentype.NewFakeClientWithListAndApply[*v1alpha1.CRIOCredentialProviderConfig, *v1alpha1.CRIOCredentialProviderConfigList, *configv1alpha1.CRIOCredentialProviderConfigApplyConfiguration](
+ fake.Fake,
+ "",
+ v1alpha1.SchemeGroupVersion.WithResource("criocredentialproviderconfigs"),
+ v1alpha1.SchemeGroupVersion.WithKind("CRIOCredentialProviderConfig"),
+ func() *v1alpha1.CRIOCredentialProviderConfig { return &v1alpha1.CRIOCredentialProviderConfig{} },
+ func() *v1alpha1.CRIOCredentialProviderConfigList { return &v1alpha1.CRIOCredentialProviderConfigList{} },
+ func(dst, src *v1alpha1.CRIOCredentialProviderConfigList) { dst.ListMeta = src.ListMeta },
+ func(list *v1alpha1.CRIOCredentialProviderConfigList) []*v1alpha1.CRIOCredentialProviderConfig {
+ return gentype.ToPointerSlice(list.Items)
+ },
+ func(list *v1alpha1.CRIOCredentialProviderConfigList, items []*v1alpha1.CRIOCredentialProviderConfig) {
+ list.Items = gentype.FromPointerSlice(items)
+ },
+ ),
+ fake,
+ }
+}
diff --git a/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
index ab5198cce..9f530ae22 100644
--- a/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
+++ b/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
@@ -4,6 +4,8 @@ package v1alpha1
type BackupExpansion interface{}
+type CRIOCredentialProviderConfigExpansion interface{}
+
type ClusterImagePolicyExpansion interface{}
type ClusterMonitoringExpansion interface{}
diff --git a/config/informers/externalversions/config/v1alpha1/criocredentialproviderconfig.go b/config/informers/externalversions/config/v1alpha1/criocredentialproviderconfig.go
new file mode 100644
index 000000000..b349ee0ed
--- /dev/null
+++ b/config/informers/externalversions/config/v1alpha1/criocredentialproviderconfig.go
@@ -0,0 +1,85 @@
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ context "context"
+ time "time"
+
+ apiconfigv1alpha1 "github.com/openshift/api/config/v1alpha1"
+ versioned "github.com/openshift/client-go/config/clientset/versioned"
+ internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces"
+ configv1alpha1 "github.com/openshift/client-go/config/listers/config/v1alpha1"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ runtime "k8s.io/apimachinery/pkg/runtime"
+ watch "k8s.io/apimachinery/pkg/watch"
+ cache "k8s.io/client-go/tools/cache"
+)
+
+// CRIOCredentialProviderConfigInformer provides access to a shared informer and lister for
+// CRIOCredentialProviderConfigs.
+type CRIOCredentialProviderConfigInformer interface {
+ Informer() cache.SharedIndexInformer
+ Lister() configv1alpha1.CRIOCredentialProviderConfigLister
+}
+
+type cRIOCredentialProviderConfigInformer struct {
+ factory internalinterfaces.SharedInformerFactory
+ tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// NewCRIOCredentialProviderConfigInformer constructs a new informer for CRIOCredentialProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewCRIOCredentialProviderConfigInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+ return NewFilteredCRIOCredentialProviderConfigInformer(client, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredCRIOCredentialProviderConfigInformer constructs a new informer for CRIOCredentialProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredCRIOCredentialProviderConfigInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+ return cache.NewSharedIndexInformer(
+ &cache.ListWatch{
+ ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().List(context.Background(), options)
+ },
+ WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().Watch(context.Background(), options)
+ },
+ ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().List(ctx, options)
+ },
+ WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().Watch(ctx, options)
+ },
+ },
+ &apiconfigv1alpha1.CRIOCredentialProviderConfig{},
+ resyncPeriod,
+ indexers,
+ )
+}
+
+func (f *cRIOCredentialProviderConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+ return NewFilteredCRIOCredentialProviderConfigInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *cRIOCredentialProviderConfigInformer) Informer() cache.SharedIndexInformer {
+ return f.factory.InformerFor(&apiconfigv1alpha1.CRIOCredentialProviderConfig{}, f.defaultInformer)
+}
+
+func (f *cRIOCredentialProviderConfigInformer) Lister() configv1alpha1.CRIOCredentialProviderConfigLister {
+ return configv1alpha1.NewCRIOCredentialProviderConfigLister(f.Informer().GetIndexer())
+}
diff --git a/config/informers/externalversions/config/v1alpha1/interface.go b/config/informers/externalversions/config/v1alpha1/interface.go
index 893d2db0a..10cc930b8 100644
--- a/config/informers/externalversions/config/v1alpha1/interface.go
+++ b/config/informers/externalversions/config/v1alpha1/interface.go
@@ -10,6 +10,8 @@ import (
type Interface interface {
// Backups returns a BackupInformer.
Backups() BackupInformer
+ // CRIOCredentialProviderConfigs returns a CRIOCredentialProviderConfigInformer.
+ CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInformer
// ClusterImagePolicies returns a ClusterImagePolicyInformer.
ClusterImagePolicies() ClusterImagePolicyInformer
// ClusterMonitorings returns a ClusterMonitoringInformer.
@@ -36,6 +38,11 @@ func (v *version) Backups() BackupInformer {
return &backupInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
}
+// CRIOCredentialProviderConfigs returns a CRIOCredentialProviderConfigInformer.
+func (v *version) CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInformer {
+ return &cRIOCredentialProviderConfigInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
+}
+
// ClusterImagePolicies returns a ClusterImagePolicyInformer.
func (v *version) ClusterImagePolicies() ClusterImagePolicyInformer {
return &clusterImagePolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
diff --git a/config/informers/externalversions/generic.go b/config/informers/externalversions/generic.go
index 146e7e975..ca697748a 100644
--- a/config/informers/externalversions/generic.go
+++ b/config/informers/externalversions/generic.go
@@ -91,6 +91,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
// Group=config.openshift.io, Version=v1alpha1
case v1alpha1.SchemeGroupVersion.WithResource("backups"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().Backups().Informer()}, nil
+ case v1alpha1.SchemeGroupVersion.WithResource("criocredentialproviderconfigs"):
+ return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CRIOCredentialProviderConfigs().Informer()}, nil
case v1alpha1.SchemeGroupVersion.WithResource("clusterimagepolicies"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().ClusterImagePolicies().Informer()}, nil
case v1alpha1.SchemeGroupVersion.WithResource("clustermonitorings"):
diff --git a/config/listers/config/v1alpha1/criocredentialproviderconfig.go b/config/listers/config/v1alpha1/criocredentialproviderconfig.go
new file mode 100644
index 000000000..cc5dfa388
--- /dev/null
+++ b/config/listers/config/v1alpha1/criocredentialproviderconfig.go
@@ -0,0 +1,32 @@
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+ labels "k8s.io/apimachinery/pkg/labels"
+ listers "k8s.io/client-go/listers"
+ cache "k8s.io/client-go/tools/cache"
+)
+
+// CRIOCredentialProviderConfigLister helps list CRIOCredentialProviderConfigs.
+// All objects returned here must be treated as read-only.
+type CRIOCredentialProviderConfigLister interface {
+ // List lists all CRIOCredentialProviderConfigs in the indexer.
+ // Objects returned here must be treated as read-only.
+ List(selector labels.Selector) (ret []*configv1alpha1.CRIOCredentialProviderConfig, err error)
+ // Get retrieves the CRIOCredentialProviderConfig from the index for a given name.
+ // Objects returned here must be treated as read-only.
+ Get(name string) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+ CRIOCredentialProviderConfigListerExpansion
+}
+
+// cRIOCredentialProviderConfigLister implements the CRIOCredentialProviderConfigLister interface.
+type cRIOCredentialProviderConfigLister struct {
+ listers.ResourceIndexer[*configv1alpha1.CRIOCredentialProviderConfig]
+}
+
+// NewCRIOCredentialProviderConfigLister returns a new CRIOCredentialProviderConfigLister.
+func NewCRIOCredentialProviderConfigLister(indexer cache.Indexer) CRIOCredentialProviderConfigLister {
+ return &cRIOCredentialProviderConfigLister{listers.New[*configv1alpha1.CRIOCredentialProviderConfig](indexer, configv1alpha1.Resource("criocredentialproviderconfig"))}
+}
diff --git a/config/listers/config/v1alpha1/expansion_generated.go b/config/listers/config/v1alpha1/expansion_generated.go
index 09b4d206d..75ba32823 100644
--- a/config/listers/config/v1alpha1/expansion_generated.go
+++ b/config/listers/config/v1alpha1/expansion_generated.go
@@ -6,6 +6,10 @@ package v1alpha1
// BackupLister.
type BackupListerExpansion interface{}
+// CRIOCredentialProviderConfigListerExpansion allows custom methods to be added to
+// CRIOCredentialProviderConfigLister.
+type CRIOCredentialProviderConfigListerExpansion interface{}
+
// ClusterImagePolicyListerExpansion allows custom methods to be added to
// ClusterImagePolicyLister.
type ClusterImagePolicyListerExpansion interface{}
diff --git a/go.mod b/go.mod
index 041ba8d6f..ec3def716 100644
--- a/go.mod
+++ b/go.mod
@@ -66,3 +66,5 @@ retract v3.9.0+incompatible
// To make go aware of the retraction, we need to tag a new version that can be
// retracted by itself.
retract v0.0.1
+
+replace github.com/openshift/api => github.com/QiWang19/api v0.0.0-20260116202510-c9eef661b38c
diff --git a/go.sum b/go.sum
index 67d8b8b13..82f431a60 100644
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,5 @@
+github.com/QiWang19/api v0.0.0-20260116202510-c9eef661b38c h1:WcyKwl1BGjzexTaDhxrCtc28GIULuDNNpeN+bs6C+/Y=
+github.com/QiWang19/api v0.0.0-20260116202510-c9eef661b38c/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -57,8 +59,6 @@ github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM
github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/api v0.0.0-20260107103503-6d35063ca179 h1:5gMFMmuVLAcEnBAjNFql/8L2ZRPBDOxl7nmbjO5klvk=
-github.com/openshift/api v0.0.0-20260107103503-6d35063ca179/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+Sp5GGnjHDhT/a/nQ1xdp43UscBMr7G5wxsYotyhzJ4=
github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
diff --git a/machine/applyconfigurations/machine/v1beta1/machinesetstatus.go b/machine/applyconfigurations/machine/v1beta1/machinesetstatus.go
index 583ee66b7..08b74fde0 100644
--- a/machine/applyconfigurations/machine/v1beta1/machinesetstatus.go
+++ b/machine/applyconfigurations/machine/v1beta1/machinesetstatus.go
@@ -18,6 +18,7 @@ type MachineSetStatusApplyConfiguration struct {
ErrorMessage *string `json:"errorMessage,omitempty"`
Conditions []ConditionApplyConfiguration `json:"conditions,omitempty"`
AuthoritativeAPI *machinev1beta1.MachineAuthority `json:"authoritativeAPI,omitempty"`
+ SynchronizedAPI *machinev1beta1.SynchronizedAPI `json:"synchronizedAPI,omitempty"`
SynchronizedGeneration *int64 `json:"synchronizedGeneration,omitempty"`
}
@@ -104,6 +105,14 @@ func (b *MachineSetStatusApplyConfiguration) WithAuthoritativeAPI(value machinev
return b
}
+// WithSynchronizedAPI sets the SynchronizedAPI field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the SynchronizedAPI field is set to the value of the last call.
+func (b *MachineSetStatusApplyConfiguration) WithSynchronizedAPI(value machinev1beta1.SynchronizedAPI) *MachineSetStatusApplyConfiguration {
+ b.SynchronizedAPI = &value
+ return b
+}
+
// WithSynchronizedGeneration sets the SynchronizedGeneration field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SynchronizedGeneration field is set to the value of the last call.
diff --git a/machine/applyconfigurations/machine/v1beta1/machinestatus.go b/machine/applyconfigurations/machine/v1beta1/machinestatus.go
index ab4a2632c..8e211e60e 100644
--- a/machine/applyconfigurations/machine/v1beta1/machinestatus.go
+++ b/machine/applyconfigurations/machine/v1beta1/machinestatus.go
@@ -22,6 +22,7 @@ type MachineStatusApplyConfiguration struct {
Phase *string `json:"phase,omitempty"`
Conditions []ConditionApplyConfiguration `json:"conditions,omitempty"`
AuthoritativeAPI *machinev1beta1.MachineAuthority `json:"authoritativeAPI,omitempty"`
+ SynchronizedAPI *machinev1beta1.SynchronizedAPI `json:"synchronizedAPI,omitempty"`
SynchronizedGeneration *int64 `json:"synchronizedGeneration,omitempty"`
}
@@ -118,6 +119,14 @@ func (b *MachineStatusApplyConfiguration) WithAuthoritativeAPI(value machinev1be
return b
}
+// WithSynchronizedAPI sets the SynchronizedAPI field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the SynchronizedAPI field is set to the value of the last call.
+func (b *MachineStatusApplyConfiguration) WithSynchronizedAPI(value machinev1beta1.SynchronizedAPI) *MachineStatusApplyConfiguration {
+ b.SynchronizedAPI = &value
+ return b
+}
+
// WithSynchronizedGeneration sets the SynchronizedGeneration field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SynchronizedGeneration field is set to the value of the last call.
diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go
index 52a41b2fe..e300d4eab 100644
--- a/vendor/github.com/openshift/api/config/v1/types_authentication.go
+++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go
@@ -5,7 +5,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings;ExternalOIDCWithUpstreamParity,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients"
// Authentication specifies cluster-wide settings for authentication (like OAuth and
// webhook token authenticators). The canonical name of an instance is `cluster`.
@@ -91,6 +91,7 @@ type AuthenticationSpec struct {
// +kubebuilder:validation:MaxItems=1
// +openshift:enable:FeatureGate=ExternalOIDC
// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
+ // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
// +optional
OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"`
}
@@ -243,11 +244,27 @@ type OIDCProvider struct {
// +listType=atomic
// +optional
ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"`
+
+ // userValidationRules is an optional field that configures the set of rules
+ // used to validate the cluster user identity that was constructed via
+ // mapping token claims to user identity attributes.
+ // Rules are CEL expressions that must evaluate to 'true' for authentication to succeed.
+ // If any rule in the chain of rules evaluates to 'false', authentication will fail.
+ // When specified, at least one rule must be specified and no more than 64 rules may be specified.
+ //
+ // +kubebuilder:validation:MaxItems=64
+ // +kubebuilder:validation:MinItems=1
+ // +listType=map
+ // +listMapKey=expression
+ // +optional
+ // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
+ UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"`
}
// +kubebuilder:validation:MinLength=1
type TokenAudience string
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="self.?discoveryURL.orValue(\"\").size() > 0 ? (self.issuerURL.size() == 0 || self.discoveryURL.find('^.+[^/]') != self.issuerURL.find('^.+[^/]')) : true",message="discoveryURL must be different from issuerURL"
type TokenIssuer struct {
// issuerURL is a required field that configures the URL used to issue tokens
// by the identity provider.
@@ -291,6 +308,24 @@ type TokenIssuer struct {
//
// +optional
CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"`
+ // discoveryURL is an optional field that, if specified, overrides the default discovery endpoint
+ // used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL`
+ // as "{issuerURL}/.well-known/openid-configuration".
+ //
+ // The discoveryURL must be a valid absolute HTTPS URL. It must not contain query
+ // parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes).
+ // The discoveryURL value must be at least 1 character long and no longer than 2048 characters.
+ //
+ // +optional
+ // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
+ // +kubebuilder:validation:XValidation:rule="isURL(self)",message="discoveryURL must be a valid URL"
+ // +kubebuilder:validation:XValidation:rule="url(self).getScheme() == 'https'",message="discoveryURL must be a valid https URL"
+ // +kubebuilder:validation:XValidation:rule="url(self).getQuery().size() == 0",message="discoveryURL must not contain query parameters"
+ // +kubebuilder:validation:XValidation:rule="self.matches('^[^#]*$')",message="discoveryURL must not contain fragments"
+ // +kubebuilder:validation:XValidation:rule="!self.matches('^https://.+:.+@.+/.*$')",message="discoveryURL must not contain user info"
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:MaxLength=2048
+ DiscoveryURL string `json:"discoveryURL,omitempty"`
}
type TokenClaimMappings struct {
@@ -717,37 +752,56 @@ type PrefixedClaimMapping struct {
Prefix string `json:"prefix"`
}
-// TokenValidationRuleType represents the different
-// claim validation rule types that can be configured.
+// TokenValidationRuleType defines the type of token validation rule.
// +enum
+// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="RequiredClaim";
+// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC,enum="RequiredClaim";
+// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDCWithUIDAndExtraClaimMappings,enum="RequiredClaim";
+// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDCWithUpstreamParity,enum="RequiredClaim";"CEL"
type TokenValidationRuleType string
const (
+ // TokenValidationRuleTypeRequiredClaim indicates that the token must contain a specific claim.
+ // Used as a value for TokenValidationRuleType.
TokenValidationRuleTypeRequiredClaim = "RequiredClaim"
+ // TokenValidationRuleTypeCEL indicates that the token validation is defined via a CEL expression.
+ // Used as a value for TokenValidationRuleType.
+ TokenValidationRuleTypeCEL = "CEL"
)
+// TokenClaimValidationRule represents a validation rule based on token claims.
+// If type is RequiredClaim, requiredClaim must be set.
+// If Type is CEL, CEL must be set and RequiredClaim must be omitted.
+//
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'RequiredClaim' ? has(self.requiredClaim) : !has(self.requiredClaim)",message="requiredClaim must be set when type is 'RequiredClaim', and forbidden otherwise"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.type) && self.type == 'CEL' ? has(self.cel) : !has(self.cel)",message="cel must be set when type is 'CEL', and forbidden otherwise"
type TokenClaimValidationRule struct {
// type is an optional field that configures the type of the validation rule.
//
- // Allowed values are 'RequiredClaim' and omitted (not provided or an empty string).
- //
- // When set to 'RequiredClaim', the Kubernetes API server
- // will be configured to validate that the incoming JWT
- // contains the required claim and that its value matches
- // the required value.
+ // Allowed values are "RequiredClaim" and "CEL".
//
- // Defaults to 'RequiredClaim'.
+ // When set to 'RequiredClaim', the Kubernetes API server will be configured
+ // to validate that the incoming JWT contains the required claim and that its
+ // value matches the required value.
//
- // +kubebuilder:validation:Enum={"RequiredClaim"}
- // +kubebuilder:default="RequiredClaim"
+ // When set to 'CEL', the Kubernetes API server will be configured
+ // to validate the incoming JWT against the configured CEL expression.
+ // +required
Type TokenValidationRuleType `json:"type"`
- // requiredClaim is an optional field that configures the required claim
- // and value that the Kubernetes API server will use to validate if an incoming
- // JWT is valid for this identity provider.
+ // requiredClaim allows configuring a required claim name and its expected value.
+ // This field is required when `type` is set to RequiredClaim, and must be omitted
+ // when `type` is set to any other value. The Kubernetes API server uses this field
+ // to validate if an incoming JWT is valid for this identity provider.
//
// +optional
RequiredClaim *TokenRequiredClaim `json:"requiredClaim,omitempty"`
+
+ // cel holds the CEL expression and message for validation.
+ // Must be set when Type is "CEL", and forbidden otherwise.
+ // +optional
+ // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
+ CEL TokenClaimValidationCELRule `json:"cel,omitempty,omitzero"`
}
type TokenRequiredClaim struct {
@@ -771,3 +825,45 @@ type TokenRequiredClaim struct {
// +required
RequiredValue string `json:"requiredValue"`
}
+
+type TokenClaimValidationCELRule struct {
+ // expression is a CEL expression evaluated against token claims.
+ // expression is required, must be at least 1 character in length and must not exceed 1024 characters.
+ // The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one.
+ //
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:MaxLength=1024
+ // +required
+ Expression string `json:"expression,omitempty"`
+
+ // message is a required human-readable message to be logged by the Kubernetes API server
+ // if the CEL expression defined in 'expression' fails.
+ // message must be at least 1 character in length and must not exceed 256 characters.
+ // +required
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:MaxLength=256
+ Message string `json:"message,omitempty"`
+}
+
+// TokenUserValidationRule provides a CEL-based rule used to validate a token subject.
+// Each rule contains a CEL expression that is evaluated against the token’s claims.
+type TokenUserValidationRule struct {
+ // expression is a required CEL expression that performs a validation
+ // on cluster user identity attributes like username, groups, etc.
+ // The expression must evaluate to a boolean value.
+ // When the expression evaluates to 'true', the cluster user identity is considered valid.
+ // When the expression evaluates to 'false', the cluster user identity is not considered valid.
+ // expression must be at least 1 character in length and must not exceed 1024 characters.
+ //
+ // +required
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:MaxLength=1024
+ Expression string `json:"expression,omitempty"`
+ // message is a required human-readable message to be logged by the Kubernetes API server
+ // if the CEL expression defined in 'expression' fails.
+ // message must be at least 1 character in length and must not exceed 256 characters.
+ // +required
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:MaxLength=256
+ Message string `json:"message,omitempty"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go
index e5aad151e..5f36f693d 100644
--- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go
+++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go
@@ -199,9 +199,23 @@ type ClusterVersionStatus struct {
// availableUpdates. This list may be empty if no updates are
// recommended, if the update service is unavailable, or if an empty
// or invalid channel has been specified.
+ // +kubebuilder:validation:MaxItems=500
// +listType=atomic
// +optional
ConditionalUpdates []ConditionalUpdate `json:"conditionalUpdates,omitempty"`
+
+ // conditionalUpdateRisks contains the list of risks associated with conditionalUpdates.
+ // When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field.
+ // If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked.
+ // The risk names in the list must be unique.
+ // conditionalUpdateRisks must not contain more than 500 entries.
+ // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
+ // +kubebuilder:validation:MaxItems=500
+ // +kubebuilder:validation:MinItems=1
+ // +listType=map
+ // +listMapKey=name
+ // +optional
+ ConditionalUpdateRisks []ConditionalUpdateRisk `json:"conditionalUpdateRisks,omitempty"`
}
// UpdateState is a constant representing whether an update was successfully
@@ -258,7 +272,7 @@ type UpdateHistory struct {
Verified bool `json:"verified"`
// acceptedRisks records risks which were accepted to initiate the update.
- // For example, it may menition an Upgradeable=False or missing signature
+ // For example, it may mention an Upgradeable=False or missing signature
// that was overridden via desiredUpdate.force, or an update that was
// initiated despite not being in the availableUpdates set of recommended
// update targets.
@@ -732,6 +746,30 @@ type Update struct {
//
// +optional
Force bool `json:"force"`
+
+ // acceptRisks is an optional set of names of conditional update risks that are considered acceptable.
+ // A conditional update is performed only if all of its risks are acceptable.
+ // This list may contain entries that apply to current, previous or future updates.
+ // The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks.
+ // acceptRisks must not contain more than 1000 entries.
+ // Entries in this list must be unique.
+ // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
+ // +kubebuilder:validation:MaxItems=1000
+ // +kubebuilder:validation:MinItems=1
+ // +listType=map
+ // +listMapKey=name
+ // +optional
+ AcceptRisks []AcceptRisk `json:"acceptRisks,omitempty"`
+}
+
+// AcceptRisk represents a risk that is considered acceptable.
+type AcceptRisk struct {
+ // name is the name of the acceptable risk.
+ // It must be a non-empty string and must not exceed 256 characters.
+ // +kubebuilder:validation:MinLength=1
+ // +kubebuilder:validation:MaxLength=256
+ // +required
+ Name string `json:"name,omitempty"`
}
// Release represents an OpenShift release image and associated metadata.
@@ -787,12 +825,27 @@ type ConditionalUpdate struct {
// +required
Release Release `json:"release"`
+ // riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters.
+ // The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster.
+ // A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator.
+ // The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field.
+ // Entries must be unique and must not exceed 256 characters.
+ // riskNames must not contain more than 500 entries.
+ // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
+ // +kubebuilder:validation:MinItems=1
+ // +kubebuilder:validation:items:MaxLength=256
+ // +kubebuilder:validation:MaxItems=500
+ // +listType=set
+ // +optional
+ RiskNames []string `json:"riskNames,omitempty"`
+
// risks represents the range of issues associated with
// updating to the target release. The cluster-version
// operator will evaluate all entries, and only recommend the
// update if there is at least one entry and all entries
// recommend the update.
// +kubebuilder:validation:MinItems=1
+ // +kubebuilder:validation:MaxItems=200
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
@@ -813,6 +866,20 @@ type ConditionalUpdate struct {
// for not recommending a conditional update.
// +k8s:deepcopy-gen=true
type ConditionalUpdateRisk struct {
+ // conditions represents the observations of the conditional update
+ // risk's current status. Known types are:
+ // * Applies, for whether the risk applies to the current cluster.
+ // The condition's types in the list must be unique.
+ // conditions must not contain more than one entry.
+ // +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
+ // +kubebuilder:validation:XValidation:rule="self.exists_one(x, x.type == 'Applies')",message="must contain a condition of type 'Applies'"
+ // +kubebuilder:validation:MaxItems=8
+ // +kubebuilder:validation:MinItems=1
+ // +listType=map
+ // +listMapKey=type
+ // +optional
+ Conditions []metav1.Condition `json:"conditions,omitempty"`
+
// url contains information about this risk.
// +kubebuilder:validation:Format=uri
// +kubebuilder:validation:MinLength=1
diff --git a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
index b18ef647c..1e5189796 100644
--- a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
+++ b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
@@ -4,178 +4,130 @@ package v1
// is used by operators to apply TLS security settings to operands.
// +union
type TLSSecurityProfile struct {
- // type is one of Old, Intermediate, Modern or Custom. Custom provides
- // the ability to specify individual TLS security profile parameters.
- // Old, Intermediate and Modern are TLS security profiles based on:
+ // type is one of Old, Intermediate, Modern or Custom. Custom provides the
+ // ability to specify individual TLS security profile parameters.
//
- // https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
+ // The profiles are currently based on version 5.0 of the Mozilla Server Side TLS
+ // configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for
+ // forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json
//
- // The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers
- // are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be
- // reduced.
- //
- // Note that the Modern profile is currently not supported because it is not
- // yet well adopted by common software libraries.
+ // The profiles are intent based, so they may change over time as new ciphers are
+ // developed and existing ciphers are found to be insecure. Depending on
+ // precisely which ciphers are available to a process, the list may be reduced.
//
// +unionDiscriminator
// +optional
Type TLSProfileType `json:"type"`
- // old is a TLS security profile based on:
- //
- // https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
+
+ // old is a TLS profile for use when services need to be accessed by very old
+ // clients or libraries and should be used only as a last resort.
//
- // and looks like this (yaml):
+ // The cipher list includes TLS 1.3 ciphers for forward compatibility, followed
+ // by the "old" profile ciphers.
//
+ // This profile is equivalent to a Custom profile specified as:
+ // minTLSVersion: VersionTLS10
// ciphers:
- //
// - TLS_AES_128_GCM_SHA256
- //
// - TLS_AES_256_GCM_SHA384
- //
// - TLS_CHACHA20_POLY1305_SHA256
- //
// - ECDHE-ECDSA-AES128-GCM-SHA256
- //
// - ECDHE-RSA-AES128-GCM-SHA256
- //
// - ECDHE-ECDSA-AES256-GCM-SHA384
- //
// - ECDHE-RSA-AES256-GCM-SHA384
- //
// - ECDHE-ECDSA-CHACHA20-POLY1305
- //
// - ECDHE-RSA-CHACHA20-POLY1305
- //
// - DHE-RSA-AES128-GCM-SHA256
- //
// - DHE-RSA-AES256-GCM-SHA384
- //
// - DHE-RSA-CHACHA20-POLY1305
- //
// - ECDHE-ECDSA-AES128-SHA256
- //
// - ECDHE-RSA-AES128-SHA256
- //
// - ECDHE-ECDSA-AES128-SHA
- //
// - ECDHE-RSA-AES128-SHA
- //
// - ECDHE-ECDSA-AES256-SHA384
- //
// - ECDHE-RSA-AES256-SHA384
- //
// - ECDHE-ECDSA-AES256-SHA
- //
// - ECDHE-RSA-AES256-SHA
- //
// - DHE-RSA-AES128-SHA256
- //
// - DHE-RSA-AES256-SHA256
- //
// - AES128-GCM-SHA256
- //
// - AES256-GCM-SHA384
- //
// - AES128-SHA256
- //
// - AES256-SHA256
- //
// - AES128-SHA
- //
// - AES256-SHA
- //
// - DES-CBC3-SHA
//
- // minTLSVersion: VersionTLS10
- //
// +optional
// +nullable
Old *OldTLSProfile `json:"old,omitempty"`
- // intermediate is a TLS security profile based on:
- //
- // https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
+
+ // intermediate is a TLS profile for use when you do not need compatibility with
+ // legacy clients and want to remain highly secure while being compatible with
+ // most clients currently in use.
//
- // and looks like this (yaml):
+ // The cipher list includes TLS 1.3 ciphers for forward compatibility, followed
+ // by the "intermediate" profile ciphers.
//
+ // This profile is equivalent to a Custom profile specified as:
+ // minTLSVersion: VersionTLS12
// ciphers:
- //
// - TLS_AES_128_GCM_SHA256
- //
// - TLS_AES_256_GCM_SHA384
- //
// - TLS_CHACHA20_POLY1305_SHA256
- //
// - ECDHE-ECDSA-AES128-GCM-SHA256
- //
// - ECDHE-RSA-AES128-GCM-SHA256
- //
// - ECDHE-ECDSA-AES256-GCM-SHA384
- //
// - ECDHE-RSA-AES256-GCM-SHA384
- //
// - ECDHE-ECDSA-CHACHA20-POLY1305
- //
// - ECDHE-RSA-CHACHA20-POLY1305
- //
// - DHE-RSA-AES128-GCM-SHA256
- //
// - DHE-RSA-AES256-GCM-SHA384
//
- // minTLSVersion: VersionTLS12
- //
// +optional
// +nullable
Intermediate *IntermediateTLSProfile `json:"intermediate,omitempty"`
- // modern is a TLS security profile based on:
- //
- // https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
- //
- // and looks like this (yaml):
+
+ // modern is a TLS security profile for use with clients that support TLS 1.3 and
+ // do not need backward compatibility for older clients.
//
+ // This profile is equivalent to a Custom profile specified as:
+ // minTLSVersion: VersionTLS13
// ciphers:
- //
// - TLS_AES_128_GCM_SHA256
- //
// - TLS_AES_256_GCM_SHA384
- //
// - TLS_CHACHA20_POLY1305_SHA256
//
- // minTLSVersion: VersionTLS13
- //
// +optional
// +nullable
Modern *ModernTLSProfile `json:"modern,omitempty"`
+
// custom is a user-defined TLS security profile. Be extremely careful using a custom
// profile as invalid configurations can be catastrophic. An example custom profile
// looks like this:
//
+ // minTLSVersion: VersionTLS11
// ciphers:
- //
// - ECDHE-ECDSA-CHACHA20-POLY1305
- //
// - ECDHE-RSA-CHACHA20-POLY1305
- //
// - ECDHE-RSA-AES128-GCM-SHA256
- //
// - ECDHE-ECDSA-AES128-GCM-SHA256
//
- // minTLSVersion: VersionTLS11
- //
// +optional
// +nullable
Custom *CustomTLSProfile `json:"custom,omitempty"`
}
-// OldTLSProfile is a TLS security profile based on:
-// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
+// OldTLSProfile is a TLS security profile based on the "old" configuration of
+// the Mozilla Server Side TLS configuration guidelines.
type OldTLSProfile struct{}
-// IntermediateTLSProfile is a TLS security profile based on:
-// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
+// IntermediateTLSProfile is a TLS security profile based on the "intermediate"
+// configuration of the Mozilla Server Side TLS configuration guidelines.
type IntermediateTLSProfile struct{}
-// ModernTLSProfile is a TLS security profile based on:
-// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+// ModernTLSProfile is a TLS security profile based on the "modern" configuration
+// of the Mozilla Server Side TLS configuration guidelines.
type ModernTLSProfile struct{}
// CustomTLSProfile is a user-defined TLS security profile. Be extremely careful
@@ -189,16 +141,19 @@ type CustomTLSProfile struct {
type TLSProfileType string
const (
- // Old is a TLS security profile based on:
- // https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
+ // TLSProfileOldType sets parameters based on the "old" configuration of
+ // the Mozilla Server Side TLS configuration guidelines.
TLSProfileOldType TLSProfileType = "Old"
- // Intermediate is a TLS security profile based on:
- // https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
+
+ // TLSProfileIntermediateType sets parameters based on the "intermediate"
+ // configuration of the Mozilla Server Side TLS configuration guidelines.
TLSProfileIntermediateType TLSProfileType = "Intermediate"
- // Modern is a TLS security profile based on:
- // https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+
+ // TLSProfileModernType sets parameters based on the "modern" configuration
+ // of the Mozilla Server Side TLS configuration guidelines.
TLSProfileModernType TLSProfileType = "Modern"
- // Custom is a TLS security profile that allows for user-defined parameters.
+
+ // TLSProfileCustomType is a TLS security profile that allows for user-defined parameters.
TLSProfileCustomType TLSProfileType = "Custom"
)
@@ -219,8 +174,6 @@ type TLSProfileSpec struct {
//
// minTLSVersion: VersionTLS11
//
- // NOTE: currently the highest minTLSVersion allowed is VersionTLS12
- //
MinTLSVersion TLSProtocolVersion `json:"minTLSVersion"`
}
@@ -245,11 +198,16 @@ const (
VersionTLS13 TLSProtocolVersion = "VersionTLS13"
)
-// TLSProfiles Contains a map of TLSProfileType names to TLSProfileSpec.
+// TLSProfiles contains a map of TLSProfileType names to TLSProfileSpec.
+//
+// These profiles are based on version 5.0 of the Mozilla Server Side TLS
+// configuration guidelines (2019-06-28) with TLS 1.3 cipher suites prepended for
+// forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json
//
-// NOTE: The caller needs to make sure to check that these constants are valid for their binary. Not all
-// entries map to values for all binaries. In the case of ties, the kube-apiserver wins. Do not fail,
-// just be sure to whitelist only and everything will be ok.
+// NOTE: The caller needs to make sure to check that these constants are valid
+// for their binary. Not all entries map to values for all binaries. In the case
+// of ties, the kube-apiserver wins. Do not fail, just be sure to include only
+// valid entries and everything will be ok.
var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{
TLSProfileOldType: {
Ciphers: []string{
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
index d80aebdf3..30b85b78e 100644
--- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
@@ -316,6 +316,22 @@ func (in *AWSServiceEndpoint) DeepCopy() *AWSServiceEndpoint {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AcceptRisk) DeepCopyInto(out *AcceptRisk) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AcceptRisk.
+func (in *AcceptRisk) DeepCopy() *AcceptRisk {
+ if in == nil {
+ return nil
+ }
+ out := new(AcceptRisk)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AdmissionConfig) DeepCopyInto(out *AdmissionConfig) {
*out = *in
@@ -1393,7 +1409,7 @@ func (in *ClusterVersionSpec) DeepCopyInto(out *ClusterVersionSpec) {
if in.DesiredUpdate != nil {
in, out := &in.DesiredUpdate, &out.DesiredUpdate
*out = new(Update)
- **out = **in
+ (*in).DeepCopyInto(*out)
}
if in.Capabilities != nil {
in, out := &in.Capabilities, &out.Capabilities
@@ -1456,6 +1472,13 @@ func (in *ClusterVersionStatus) DeepCopyInto(out *ClusterVersionStatus) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
+ if in.ConditionalUpdateRisks != nil {
+ in, out := &in.ConditionalUpdateRisks, &out.ConditionalUpdateRisks
+ *out = make([]ConditionalUpdateRisk, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
return
}
@@ -1544,6 +1567,11 @@ func (in *ComponentRouteStatus) DeepCopy() *ComponentRouteStatus {
func (in *ConditionalUpdate) DeepCopyInto(out *ConditionalUpdate) {
*out = *in
in.Release.DeepCopyInto(&out.Release)
+ if in.RiskNames != nil {
+ in, out := &in.RiskNames, &out.RiskNames
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
if in.Risks != nil {
in, out := &in.Risks, &out.Risks
*out = make([]ConditionalUpdateRisk, len(*in))
@@ -1574,6 +1602,13 @@ func (in *ConditionalUpdate) DeepCopy() *ConditionalUpdate {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ConditionalUpdateRisk) DeepCopyInto(out *ConditionalUpdateRisk) {
*out = *in
+ if in.Conditions != nil {
+ in, out := &in.Conditions, &out.Conditions
+ *out = make([]metav1.Condition, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
if in.MatchingRules != nil {
in, out := &in.MatchingRules, &out.MatchingRules
*out = make([]ClusterCondition, len(*in))
@@ -4807,6 +4842,11 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
+ if in.UserValidationRules != nil {
+ in, out := &in.UserValidationRules, &out.UserValidationRules
+ *out = make([]TokenUserValidationRule, len(*in))
+ copy(*out, *in)
+ }
return
}
@@ -6405,6 +6445,22 @@ func (in *TokenClaimOrExpressionMapping) DeepCopy() *TokenClaimOrExpressionMappi
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenClaimValidationCELRule) DeepCopyInto(out *TokenClaimValidationCELRule) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimValidationCELRule.
+func (in *TokenClaimValidationCELRule) DeepCopy() *TokenClaimValidationCELRule {
+ if in == nil {
+ return nil
+ }
+ out := new(TokenClaimValidationCELRule)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule) {
*out = *in
@@ -6413,6 +6469,7 @@ func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule)
*out = new(TokenRequiredClaim)
**out = **in
}
+ out.CEL = in.CEL
return
}
@@ -6485,9 +6542,30 @@ func (in *TokenRequiredClaim) DeepCopy() *TokenRequiredClaim {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenUserValidationRule) DeepCopyInto(out *TokenUserValidationRule) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenUserValidationRule.
+func (in *TokenUserValidationRule) DeepCopy() *TokenUserValidationRule {
+ if in == nil {
+ return nil
+ }
+ out := new(TokenUserValidationRule)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Update) DeepCopyInto(out *Update) {
*out = *in
+ if in.AcceptRisks != nil {
+ in, out := &in.AcceptRisks, &out.AcceptRisks
+ *out = make([]AcceptRisk, len(*in))
+ copy(*out, *in)
+ }
return
}
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
index b113921f2..5d4794e4b 100644
--- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -31,6 +31,7 @@ authentications.config.openshift.io:
FeatureGates:
- ExternalOIDC
- ExternalOIDCWithUIDAndExtraClaimMappings
+ - ExternalOIDCWithUpstreamParity
FilenameOperatorName: config-operator
FilenameOperatorOrdering: "01"
FilenameRunLevel: "0000_10"
@@ -141,6 +142,7 @@ clusterversions.config.openshift.io:
Capability: ""
Category: ""
FeatureGates:
+ - ClusterUpdateAcceptRisks
- ImageStreamImportMode
- SignatureStores
FilenameOperatorName: cluster-version-operator
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
index e465cd1c8..e7bc0aebb 100644
--- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
@@ -449,6 +449,7 @@ var map_OIDCProvider = map[string]string{
"oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.",
"claimMappings": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.",
"claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.",
+ "userValidationRules": "userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified.",
}
func (OIDCProvider) SwaggerDoc() map[string]string {
@@ -494,9 +495,20 @@ func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string {
return map_TokenClaimOrExpressionMapping
}
+var map_TokenClaimValidationCELRule = map[string]string{
+ "expression": "expression is a CEL expression evaluated against token claims. expression is required, must be at least 1 character in length and must not exceed 1024 characters. The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one.",
+ "message": "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.",
+}
+
+func (TokenClaimValidationCELRule) SwaggerDoc() map[string]string {
+ return map_TokenClaimValidationCELRule
+}
+
var map_TokenClaimValidationRule = map[string]string{
- "type": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.",
- "requiredClaim": "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.",
+ "": "TokenClaimValidationRule represents a validation rule based on token claims. If type is RequiredClaim, requiredClaim must be set. If Type is CEL, CEL must be set and RequiredClaim must be omitted.",
+ "type": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are \"RequiredClaim\" and \"CEL\".\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nWhen set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression.",
+ "requiredClaim": "requiredClaim allows configuring a required claim name and its expected value. This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider.",
+ "cel": "cel holds the CEL expression and message for validation. Must be set when Type is \"CEL\", and forbidden otherwise.",
}
func (TokenClaimValidationRule) SwaggerDoc() map[string]string {
@@ -507,6 +519,7 @@ var map_TokenIssuer = map[string]string{
"issuerURL": "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nMust be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.",
"audiences": "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.",
"issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.",
+ "discoveryURL": "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.",
}
func (TokenIssuer) SwaggerDoc() map[string]string {
@@ -522,6 +535,16 @@ func (TokenRequiredClaim) SwaggerDoc() map[string]string {
return map_TokenRequiredClaim
}
+var map_TokenUserValidationRule = map[string]string{
+ "": "TokenUserValidationRule provides a CEL-based rule used to validate a token subject. Each rule contains a CEL expression that is evaluated against the token’s claims.",
+ "expression": "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.",
+ "message": "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.",
+}
+
+func (TokenUserValidationRule) SwaggerDoc() map[string]string {
+ return map_TokenUserValidationRule
+}
+
var map_UsernameClaimMapping = map[string]string{
"claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.",
"prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"",
@@ -724,6 +747,15 @@ func (OperandVersion) SwaggerDoc() map[string]string {
return map_OperandVersion
}
+var map_AcceptRisk = map[string]string{
+ "": "AcceptRisk represents a risk that is considered acceptable.",
+ "name": "name is the name of the acceptable risk. It must be a non-empty string and must not exceed 256 characters.",
+}
+
+func (AcceptRisk) SwaggerDoc() map[string]string {
+ return map_AcceptRisk
+}
+
var map_ClusterCondition = map[string]string{
"": "ClusterCondition is a union of typed cluster conditions. The 'type' property determines which of the type-specific properties are relevant. When evaluated on a cluster, the condition may match, not match, or fail to evaluate.",
"type": "type represents the cluster-condition type. This defines the members and semantics of any additional properties.",
@@ -790,15 +822,16 @@ func (ClusterVersionSpec) SwaggerDoc() map[string]string {
}
var map_ClusterVersionStatus = map[string]string{
- "": "ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.",
- "desired": "desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag.",
- "history": "history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved.",
- "observedGeneration": "observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version.",
- "versionHash": "versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only.",
- "capabilities": "capabilities describes the state of optional, core cluster components.",
- "conditions": "conditions provides information about the cluster version. The condition \"Available\" is set to true if the desiredUpdate has been reached. The condition \"Progressing\" is set to true if an update is being applied. The condition \"Degraded\" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation.",
- "availableUpdates": "availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified.",
- "conditionalUpdates": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.",
+ "": "ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.",
+ "desired": "desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag.",
+ "history": "history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved.",
+ "observedGeneration": "observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version.",
+ "versionHash": "versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only.",
+ "capabilities": "capabilities describes the state of optional, core cluster components.",
+ "conditions": "conditions provides information about the cluster version. The condition \"Available\" is set to true if the desiredUpdate has been reached. The condition \"Progressing\" is set to true if an update is being applied. The condition \"Degraded\" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation.",
+ "availableUpdates": "availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified.",
+ "conditionalUpdates": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.",
+ "conditionalUpdateRisks": "conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. The risk names in the list must be unique. conditionalUpdateRisks must not contain more than 500 entries.",
}
func (ClusterVersionStatus) SwaggerDoc() map[string]string {
@@ -821,6 +854,7 @@ func (ComponentOverride) SwaggerDoc() map[string]string {
var map_ConditionalUpdate = map[string]string{
"": "ConditionalUpdate represents an update which is recommended to some clusters on the version the current cluster is reconciling, but which may not be recommended for the current cluster.",
"release": "release is the target of the update.",
+ "riskNames": "riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. Entries must be unique and must not exceed 256 characters. riskNames must not contain more than 500 entries.",
"risks": "risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update.",
"conditions": "conditions represents the observations of the conditional update's current status. Known types are: * Recommended, for whether the update is recommended for the current cluster.",
}
@@ -831,6 +865,7 @@ func (ConditionalUpdate) SwaggerDoc() map[string]string {
var map_ConditionalUpdateRisk = map[string]string{
"": "ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update.",
+ "conditions": "conditions represents the observations of the conditional update risk's current status. Known types are: * Applies, for whether the risk applies to the current cluster. The condition's types in the list must be unique. conditions must not contain more than one entry.",
"url": "url contains information about this risk.",
"name": "name is the CamelCase reason for not recommending a conditional update, in the event that matchingRules match the cluster state.",
"message": "message provides additional information about the risk of updating, in the event that matchingRules match the cluster state. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines.",
@@ -879,6 +914,7 @@ var map_Update = map[string]string{
"version": "version is a semantic version identifying the update version. version is required if architecture is specified. If both version and image are set, the version extracted from the referenced image must match the specified version.",
"image": "image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. When image is set, architecture cannot be specified. If both version and image are set, the version extracted from the referenced image must match the specified version.",
"force": "force allows an administrator to update to an image that has failed verification or upgradeable checks that are designed to keep your cluster safe. Only use this if: * you are testing unsigned release images in short-lived test clusters or * you are working around a known bug in the cluster-version\n operator and you have verified the authenticity of the provided\n image yourself.\nThe provided image will run with full administrative access to the cluster. Do not use this flag with images that come from unknown or potentially malicious sources.",
+ "acceptRisks": "acceptRisks is an optional set of names of conditional update risks that are considered acceptable. A conditional update is performed only if all of its risks are acceptable. This list may contain entries that apply to current, previous or future updates. The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. acceptRisks must not contain more than 1000 entries. Entries in this list must be unique.",
}
func (Update) SwaggerDoc() map[string]string {
@@ -893,7 +929,7 @@ var map_UpdateHistory = map[string]string{
"version": "version is a semantic version identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty.",
"image": "image is a container image location that contains the update. This value is always populated.",
"verified": "verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted. Verified does not cover upgradeable checks that depend on the cluster state at the time when the update target was accepted.",
- "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.",
+ "acceptedRisks": "acceptedRisks records risks which were accepted to initiate the update. For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.",
}
func (UpdateHistory) SwaggerDoc() map[string]string {
@@ -2943,7 +2979,7 @@ func (CustomTLSProfile) SwaggerDoc() map[string]string {
}
var map_IntermediateTLSProfile = map[string]string{
- "": "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29",
+ "": "IntermediateTLSProfile is a TLS security profile based on the \"intermediate\" configuration of the Mozilla Server Side TLS configuration guidelines.",
}
func (IntermediateTLSProfile) SwaggerDoc() map[string]string {
@@ -2951,7 +2987,7 @@ func (IntermediateTLSProfile) SwaggerDoc() map[string]string {
}
var map_ModernTLSProfile = map[string]string{
- "": "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility",
+ "": "ModernTLSProfile is a TLS security profile based on the \"modern\" configuration of the Mozilla Server Side TLS configuration guidelines.",
}
func (ModernTLSProfile) SwaggerDoc() map[string]string {
@@ -2959,7 +2995,7 @@ func (ModernTLSProfile) SwaggerDoc() map[string]string {
}
var map_OldTLSProfile = map[string]string{
- "": "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility",
+ "": "OldTLSProfile is a TLS security profile based on the \"old\" configuration of the Mozilla Server Side TLS configuration guidelines.",
}
func (OldTLSProfile) SwaggerDoc() map[string]string {
@@ -2969,7 +3005,7 @@ func (OldTLSProfile) SwaggerDoc() map[string]string {
var map_TLSProfileSpec = map[string]string{
"": "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.",
"ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA",
- "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12",
+ "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11",
}
func (TLSProfileSpec) SwaggerDoc() map[string]string {
@@ -2978,11 +3014,11 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string {
var map_TLSSecurityProfile = map[string]string{
"": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.",
- "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.",
- "old": "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n - DHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-ECDSA-AES128-SHA256\n\n - ECDHE-RSA-AES128-SHA256\n\n - ECDHE-ECDSA-AES128-SHA\n\n - ECDHE-RSA-AES128-SHA\n\n - ECDHE-ECDSA-AES256-SHA384\n\n - ECDHE-RSA-AES256-SHA384\n\n - ECDHE-ECDSA-AES256-SHA\n\n - ECDHE-RSA-AES256-SHA\n\n - DHE-RSA-AES128-SHA256\n\n - DHE-RSA-AES256-SHA256\n\n - AES128-GCM-SHA256\n\n - AES256-GCM-SHA384\n\n - AES128-SHA256\n\n - AES256-SHA256\n\n - AES128-SHA\n\n - AES256-SHA\n\n - DES-CBC3-SHA\n\n minTLSVersion: VersionTLS10",
- "intermediate": "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n minTLSVersion: VersionTLS12",
- "modern": "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n minTLSVersion: VersionTLS13",
- "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n ciphers:\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n minTLSVersion: VersionTLS11",
+ "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.",
+ "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA",
+ "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384",
+ "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256",
+ "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256",
}
func (TLSSecurityProfile) SwaggerDoc() map[string]string {
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/register.go b/vendor/github.com/openshift/api/config/v1alpha1/register.go
index 4b30ea380..c90962495 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/register.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/register.go
@@ -40,6 +40,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&ImagePolicyList{},
&ClusterImagePolicy{},
&ClusterImagePolicyList{},
+ &CRIOCredentialProviderConfig{},
+ &CRIOCredentialProviderConfigList{},
)
metav1.AddToGroupVersion(scheme, GroupVersion)
return nil
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go b/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go
new file mode 100644
index 000000000..0298fe9b8
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go
@@ -0,0 +1,184 @@
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is "cluster". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+// For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+// CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+// Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.
+//
+// The resource is a singleton named "cluster".
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=criocredentialproviderconfigs,scope=Cluster
+// +kubebuilder:subresource:status
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1929
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +openshift:enable:FeatureGate=CRIOCredentialProviderConfig
+// +openshift:compatibility-gen:level=4
+// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'cluster'",message="criocredentialproviderconfig is a singleton, .metadata.name must be 'cluster'"
+type CRIOCredentialProviderConfig struct {
+ metav1.TypeMeta `json:",inline"`
+
+ // metadata is the standard object's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+ // +optional
+ metav1.ObjectMeta `json:"metadata,omitzero"`
+
+ // spec defines the desired configuration of the CRI-O Credential Provider.
+ // This field is required and must be provided when creating the resource.
+ // +required
+ Spec CRIOCredentialProviderConfigSpec `json:"spec,omitzero"`
+
+ // status represents the current state of the CRIOCredentialProviderConfig.
+ // When omitted or nil, it indicates that the status has not yet been set by the controller.
+ // The controller will populate this field with validation conditions and operational state.
+ // +optional
+ Status CRIOCredentialProviderConfigStatus `json:"status,omitzero,omitempty"`
+}
+
+// CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.
+type CRIOCredentialProviderConfigSpec struct {
+ // matchImages is a required list of string patterns used to determine whether
+ // the CRI-O credential provider should be invoked for a given image. This list is
+ // passed to the kubelet CredentialProviderConfig, and if any pattern matches
+ // the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+ // that image or its mirrors.
+ // Depending on the platform, the CRI-O credential provider may be installed alongside an existing platform specific provider.
+ // Conflicts between the existing platform specific provider image match configuration and this list will be handled by
+ // the following precedence rule: credentials from built-in kubelet providers (e.g., ECR, GCR, ACR) take precedence over those
+ // from the CRIOCredentialProviderConfig when both match the same image.
+ // To avoid uncertainty, it is recommended to avoid configuring your private image patterns to overlap with
+ // existing platform specific provider config(e.g., the entries from https://github.com/openshift/machine-config-operator/blob/main/templates/common/aws/files/etc-kubernetes-credential-providers-ecr-credential-provider.yaml).
+ // You can check the resource's Status conditions
+ // to see if any entries were ignored due to exact matches with known built-in provider patterns.
+ //
+ // This field is required and must contain between 1 and 50 entries.
+ // The list is treated as a set, so duplicate entries are not allowed.
+ //
+ // For more details, see:
+ // https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+ // https://github.com/cri-o/crio-credential-provider#architecture
+ //
+ // Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry must be no longer than 512 characters.
+ // Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+ // and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+ // A global wildcard '*' (matching any domain) is not allowed.
+ // Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path.
+ // For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not.
+ // Each wildcard matches only a single domain label,
+ // so '*.io' does **not** match '*.k8s.io'.
+ //
+ // A match exists between an image and a matchImage when all of the below are true:
+ // Both contain the same number of domain parts and each part matches.
+ // The URL path of an matchImages must be a prefix of the target image URL path.
+ // If the matchImages contains a port, then the port must match in the image as well.
+ //
+ // Example values of matchImages:
+ // - 123456789.dkr.ecr.us-east-1.amazonaws.com
+ // - *.azurecr.io
+ // - gcr.io
+ // - *.*.registry.io
+ // - registry.io:8080/path
+ //
+ // +kubebuilder:validation:MaxItems=50
+ // +kubebuilder:validation:MinItems=1
+ // +listType=set
+ // +required
+ MatchImages []MatchImage `json:"matchImages,omitempty"`
+}
+
+// MatchImage is a string pattern used to match container image registry addresses.
+// It must be a valid fully qualified domain name with optional wildcard, port, and path.
+// The maximum length is 512 characters.
+//
+// Wildcards ('*') are supported for full subdomain labels and top-level domains.
+// Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path).
+// Wildcards are not allowed in the port or path portions.
+//
+// Examples:
+// - "registry.io" - matches exactly registry.io
+// - "*.azurecr.io" - matches any single subdomain of azurecr.io
+// - "registry.io:8080/path" - matches with specific port and path prefix
+//
+// +kubebuilder:validation:MaxLength=512
+// +kubebuilder:validation:XValidation:rule="self != '*'",message="global wildcard '*' is not allowed"
+// +kubebuilder:validation:XValidation:rule=`self.matches('^((\\*|[a-z0-9]([a-z0-9-]*[a-z0-9])?)(\\.(\\*|[a-z0-9]([a-z0-9-]*[a-z0-9])?))*)(:[0-9]+)?(/[-a-z0-9_/]*)?$')`,message="invalid matchImages value, must be a valid fully qualified domain name in lowercase with optional wildcard, port, and path"
+type MatchImage string
+
+// +k8s:deepcopy-gen=true
+// CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig
+// +kubebuilder:validation:MinProperties=1
+type CRIOCredentialProviderConfigStatus struct {
+ // conditions represent the latest available observations of the configuration state.
+ // When omitted, it indicates that no conditions have been reported yet.
+ // The maximum number of conditions is 16.
+ // Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+ //
+ // Expected condition types include:
+ // "Validated": indicates whether the matchImages configuration is valid
+ // +optional
+ // +kubebuilder:validation:MaxItems=16
+ // +kubebuilder:validation:MinItems=1
+ // +listType=map
+ // +listMapKey=type
+ Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:level=4
+type CRIOCredentialProviderConfigList struct {
+ metav1.TypeMeta `json:",inline"`
+
+ // metadata is the standard list's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+ metav1.ListMeta `json:"metadata"`
+
+ Items []CRIOCredentialProviderConfig `json:"items"`
+}
+
+const (
+ // ConditionTypeValidated is a condition type that indicates whether the CRIOCredentialProviderConfig
+ // matchImages configuration has been validated successfully.
+ // When True, all matchImage patterns are valid and have been applied.
+ // When False, the configuration contains errors (see Reason for details).
+ // Possible reasons for False status:
+ // - ValidationFailed: matchImages contains invalid patterns
+ // - ConfigurationPartiallyApplied: some matchImage entries were ignored due to conflicts
+ ConditionTypeValidated = "Validated"
+
+ // ReasonValidationFailed is a condition reason used with ConditionTypeValidated=False
+ // to indicate that the matchImages configuration contains one or more invalid registry patterns
+ // that do not conform to the required format (valid FQDN with optional wildcard, port, and path).
+ ReasonValidationFailed = "ValidationFailed"
+
+ // ReasonConfigurationPartiallyApplied is a condition reason used with ConditionTypeValidated=False
+ // to indicate that some matchImage entries were ignored due to conflicts or overlapping patterns.
+ // The condition message will contain details about which entries were ignored and why.
+ ReasonConfigurationPartiallyApplied = "ConfigurationPartiallyApplied"
+
+ // ConditionTypeMachineConfigRendered is a condition type that indicates whether
+ // the CRIOCredentialProviderConfig has been successfully rendered into a
+ // MachineConfig object.
+ // When True, the corresponding MachineConfig is present in the cluster.
+ // When False, rendering failed.
+ ConditionTypeMachineConfigRendered = "MachineConfigRendered"
+
+ // ReasonMachineConfigRenderingSucceeded is a condition reason used with ConditionTypeMachineConfigRendered=True
+ // to indicate that the MachineConfig was successfully created/updated in the API server.
+ ReasonMachineConfigRenderingSucceeded = "MachineConfigRenderingSucceeded"
+
+ // ReasonMachineConfigRenderingFailed is a condition reason used with ConditionTypeMachineConfigRendered=False
+ // to indicate that the MachineConfig creation/update failed.
+ // The condition message will contain details about the failure.
+ ReasonMachineConfigRenderingFailed = "MachineConfigRenderingFailed"
+)
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go
index 9ead6aba2..b64c61b76 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go
@@ -192,6 +192,111 @@ func (in *BackupStatus) DeepCopy() *BackupStatus {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfig) DeepCopyInto(out *CRIOCredentialProviderConfig) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ in.Status.DeepCopyInto(&out.Status)
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfig.
+func (in *CRIOCredentialProviderConfig) DeepCopy() *CRIOCredentialProviderConfig {
+ if in == nil {
+ return nil
+ }
+ out := new(CRIOCredentialProviderConfig)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CRIOCredentialProviderConfig) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigList) DeepCopyInto(out *CRIOCredentialProviderConfigList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]CRIOCredentialProviderConfig, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigList.
+func (in *CRIOCredentialProviderConfigList) DeepCopy() *CRIOCredentialProviderConfigList {
+ if in == nil {
+ return nil
+ }
+ out := new(CRIOCredentialProviderConfigList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CRIOCredentialProviderConfigList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigSpec) DeepCopyInto(out *CRIOCredentialProviderConfigSpec) {
+ *out = *in
+ if in.MatchImages != nil {
+ in, out := &in.MatchImages, &out.MatchImages
+ *out = make([]MatchImage, len(*in))
+ copy(*out, *in)
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigSpec.
+func (in *CRIOCredentialProviderConfigSpec) DeepCopy() *CRIOCredentialProviderConfigSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(CRIOCredentialProviderConfigSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigStatus) DeepCopyInto(out *CRIOCredentialProviderConfigStatus) {
+ *out = *in
+ if in.Conditions != nil {
+ in, out := &in.Conditions, &out.Conditions
+ *out = make([]metav1.Condition, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigStatus.
+func (in *CRIOCredentialProviderConfigStatus) DeepCopy() *CRIOCredentialProviderConfigStatus {
+ if in == nil {
+ return nil
+ }
+ out := new(CRIOCredentialProviderConfigStatus)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) {
*out = *in
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
index 2f79f801d..42e96ed45 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
@@ -21,6 +21,29 @@ backups.config.openshift.io:
- AutomatedEtcdBackup
Version: v1alpha1
+criocredentialproviderconfigs.config.openshift.io:
+ Annotations: {}
+ ApprovedPRNumber: https://github.com/openshift/api/pull/1929
+ CRDName: criocredentialproviderconfigs.config.openshift.io
+ Capability: ""
+ Category: ""
+ FeatureGates:
+ - CRIOCredentialProviderConfig
+ FilenameOperatorName: config-operator
+ FilenameOperatorOrdering: "01"
+ FilenameRunLevel: "0000_10"
+ GroupName: config.openshift.io
+ HasStatus: true
+ KindName: CRIOCredentialProviderConfig
+ Labels: {}
+ PluralName: criocredentialproviderconfigs
+ PrinterColumns: []
+ Scope: Cluster
+ ShortNames: null
+ TopLevelFeatureGates:
+ - CRIOCredentialProviderConfig
+ Version: v1alpha1
+
clusterimagepolicies.config.openshift.io:
Annotations: {}
ApprovedPRNumber: https://github.com/openshift/api/pull/1457
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go
index 59a5b3708..c32c2838c 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go
@@ -226,6 +226,44 @@ func (UserDefinedMonitoring) SwaggerDoc() map[string]string {
return map_UserDefinedMonitoring
}
+var map_CRIOCredentialProviderConfig = map[string]string{
+ "": "CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is \"cluster\". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources. For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in. CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation. Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+ "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+ "spec": "spec defines the desired configuration of the CRI-O Credential Provider. This field is required and must be provided when creating the resource.",
+ "status": "status represents the current state of the CRIOCredentialProviderConfig. When omitted or nil, it indicates that the status has not yet been set by the controller. The controller will populate this field with validation conditions and operational state.",
+}
+
+func (CRIOCredentialProviderConfig) SwaggerDoc() map[string]string {
+ return map_CRIOCredentialProviderConfig
+}
+
+var map_CRIOCredentialProviderConfigList = map[string]string{
+ "": "CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+ "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (CRIOCredentialProviderConfigList) SwaggerDoc() map[string]string {
+ return map_CRIOCredentialProviderConfigList
+}
+
+var map_CRIOCredentialProviderConfigSpec = map[string]string{
+ "": "CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.",
+ "matchImages": "matchImages is a required list of string patterns used to determine whether the CRI-O credential provider should be invoked for a given image. This list is passed to the kubelet CredentialProviderConfig, and if any pattern matches the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling that image or its mirrors. Depending on the platform, the CRI-O credential provider may be installed alongside an existing platform specific provider. Conflicts between the existing platform specific provider image match configuration and this list will be handled by the following precedence rule: credentials from built-in kubelet providers (e.g., ECR, GCR, ACR) take precedence over those from the CRIOCredentialProviderConfig when both match the same image. To avoid uncertainty, it is recommended to avoid configuring your private image patterns to overlap with existing platform specific provider config(e.g., the entries from https://github.com/openshift/machine-config-operator/blob/main/templates/common/aws/files/etc-kubernetes-credential-providers-ecr-credential-provider.yaml). You can check the resource's Status conditions to see if any entries were ignored due to exact matches with known built-in provider patterns.\n\nThis field is required and must contain between 1 and 50 entries. The list is treated as a set, so duplicate entries are not allowed.\n\nFor more details, see: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/ https://github.com/cri-o/crio-credential-provider#architecture\n\nEach entry in matchImages is a pattern which can optionally contain a port and a path. Each entry must be no longer than 512 characters. Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io', and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net'). A global wildcard '*' (matching any domain) is not allowed. Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path. For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not. Each wildcard matches only a single domain label, so '*.io' does **not** match '*.k8s.io'.\n\nA match exists between an image and a matchImage when all of the below are true: Both contain the same number of domain parts and each part matches. The URL path of an matchImages must be a prefix of the target image URL path. If the matchImages contains a port, then the port must match in the image as well.\n\nExample values of matchImages: - 123456789.dkr.ecr.us-east-1.amazonaws.com - *.azurecr.io - gcr.io - *.*.registry.io - registry.io:8080/path",
+}
+
+func (CRIOCredentialProviderConfigSpec) SwaggerDoc() map[string]string {
+ return map_CRIOCredentialProviderConfigSpec
+}
+
+var map_CRIOCredentialProviderConfigStatus = map[string]string{
+ "": "CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig",
+ "conditions": "conditions represent the latest available observations of the configuration state. When omitted, it indicates that no conditions have been reported yet. The maximum number of conditions is 16. Conditions are stored as a map keyed by condition type, ensuring uniqueness.\n\nExpected condition types include: \"Validated\": indicates whether the matchImages configuration is valid",
+}
+
+func (CRIOCredentialProviderConfigStatus) SwaggerDoc() map[string]string {
+ return map_CRIOCredentialProviderConfigStatus
+}
+
var map_ImagePolicy = map[string]string{
"": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md
index 6b21a4ae5..842984845 100644
--- a/vendor/github.com/openshift/api/features.md
+++ b/vendor/github.com/openshift/api/features.md
@@ -13,7 +13,6 @@
| IngressControllerDynamicConfigurationManager| | | Enabled | Enabled | | | | |
| NetworkConnect| | | Enabled | Enabled | | | | |
| NewOLMCatalogdAPIV1Metas| | | | Enabled | | | | Enabled |
-| NewOLMOwnSingleNamespace| | | | Enabled | | | | Enabled |
| NewOLMPreflightPermissionChecks| | | | Enabled | | | | Enabled |
| NoRegistryClusterInstall| | | | Enabled | | | | Enabled |
| ProvisioningRequestAvailable| | | Enabled | Enabled | | | | |
@@ -31,17 +30,22 @@
| BootcNodeManagement| | | Enabled | Enabled | | | Enabled | Enabled |
| CBORServingAndStorage| | | Enabled | Enabled | | | Enabled | Enabled |
| CRDCompatibilityRequirementOperator| | | Enabled | Enabled | | | Enabled | Enabled |
+| CRIOCredentialProviderConfig| | | Enabled | Enabled | | | Enabled | Enabled |
| ClientsPreferCBOR| | | Enabled | Enabled | | | Enabled | Enabled |
| ClusterAPIInstallIBMCloud| | | Enabled | Enabled | | | Enabled | Enabled |
| ClusterAPIMachineManagement| | | Enabled | Enabled | | | Enabled | Enabled |
| ClusterMonitoringConfig| | | Enabled | Enabled | | | Enabled | Enabled |
+| ClusterUpdateAcceptRisks| | | Enabled | Enabled | | | Enabled | Enabled |
| ClusterVersionOperatorConfiguration| | | Enabled | Enabled | | | Enabled | Enabled |
+| ConfigurablePKI| | | Enabled | Enabled | | | Enabled | Enabled |
| DNSNameResolver| | | Enabled | Enabled | | | Enabled | Enabled |
| DualReplica| | | Enabled | Enabled | | | Enabled | Enabled |
| DyanmicServiceEndpointIBMCloud| | | Enabled | Enabled | | | Enabled | Enabled |
+| EVPN| | | Enabled | Enabled | | | Enabled | Enabled |
| EtcdBackendQuota| | | Enabled | Enabled | | | Enabled | Enabled |
| EventTTL| | | Enabled | Enabled | | | Enabled | Enabled |
| Example| | | Enabled | Enabled | | | Enabled | Enabled |
+| ExternalOIDCWithUpstreamParity| | | Enabled | Enabled | | | Enabled | Enabled |
| GCPClusterHostedDNS| | | Enabled | Enabled | | | Enabled | Enabled |
| GCPCustomAPIEndpoints| | | Enabled | Enabled | | | Enabled | Enabled |
| GCPCustomAPIEndpointsInstall| | | Enabled | Enabled | | | Enabled | Enabled |
@@ -61,6 +65,7 @@
| MutableCSINodeAllocatableCount| | | Enabled | Enabled | | | Enabled | Enabled |
| MutatingAdmissionPolicy| | | Enabled | Enabled | | | Enabled | Enabled |
| NewOLM| | Enabled | | Enabled | | Enabled | | Enabled |
+| NewOLMOwnSingleNamespace| | Enabled | | Enabled | | Enabled | | Enabled |
| NewOLMWebhookProviderOpenshiftServiceCA| | Enabled | | Enabled | | Enabled | | Enabled |
| NutanixMultiSubnets| | | Enabled | Enabled | | | Enabled | Enabled |
| OSStreams| | | Enabled | Enabled | | | Enabled | Enabled |
diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go
index c6442186a..d1d5941fa 100644
--- a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go
+++ b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go
@@ -463,10 +463,11 @@ const (
// DedicatedHost represents the configuration for the usage of dedicated host.
type DedicatedHost struct {
// id identifies the AWS Dedicated Host on which the instance must run.
- // The value must start with "h-" followed by 17 lowercase hexadecimal characters (0-9 and a-f).
- // Must be exactly 19 characters in length.
- // +kubebuilder:validation:XValidation:rule="self.matches('^h-[0-9a-f]{17}$')",message="hostID must start with 'h-' followed by 17 lowercase hexadecimal characters (0-9 and a-f)"
- // +kubebuilder:validation:MinLength=19
+ // The value must start with "h-" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f).
+ // The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format.
+ // Must be either 10 or 19 characters in length.
+ // +kubebuilder:validation:XValidation:rule="self.matches('^h-([0-9a-f]{8}|[0-9a-f]{17})$')",message="hostID must start with 'h-' followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f)"
+ // +kubebuilder:validation:MinLength=10
// +kubebuilder:validation:MaxLength=19
// +required
ID string `json:"id,omitempty"`
diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go b/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go
index 33f472f92..6bfe85081 100644
--- a/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go
+++ b/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go
@@ -185,6 +185,18 @@ const (
MachineAuthorityMigrating MachineAuthority = "Migrating"
)
+// SynchronizedAPI holds the last stable value of authoritativeAPI.
+// +kubebuilder:validation:Enum=MachineAPI;ClusterAPI
+type SynchronizedAPI string
+
+const (
+ // MachineAPISynchronized indicates that the Machine API is the last synchronized API.
+ MachineAPISynchronized SynchronizedAPI = "MachineAPI"
+
+ // ClusterAPISynchronized indicates that the Cluster API is the last synchronized API.
+ ClusterAPISynchronized SynchronizedAPI = "ClusterAPI"
+)
+
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -317,6 +329,7 @@ type LifecycleHook struct {
// MachineStatus defines the observed state of Machine
// +openshift:validation:FeatureGateAwareXValidation:featureGate=MachineAPIMigration,rule="!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) || (oldSelf.authoritativeAPI == 'Migrating' && self.authoritativeAPI != 'Migrating')",message="synchronizedGeneration must not decrease unless authoritativeAPI is transitioning from Migrating to another value"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=MachineAPIMigration,rule="has(self.authoritativeAPI) || !has(oldSelf.authoritativeAPI)",message="authoritativeAPI may not be removed once set"
type MachineStatus struct {
// nodeRef will point to the corresponding Node if it exists.
// +optional
@@ -406,6 +419,14 @@ type MachineStatus struct {
// +optional
AuthoritativeAPI MachineAuthority `json:"authoritativeAPI,omitempty"`
+ // synchronizedAPI holds the last stable value of authoritativeAPI.
+ // It is used to detect migration cancellation requests and to restore the resource to its previous state.
+ // Valid values are "MachineAPI" and "ClusterAPI".
+ // When omitted, the resource has not yet been reconciled by the migration controller.
+ // +openshift:enable:FeatureGate=MachineAPIMigration
+ // +optional
+ SynchronizedAPI SynchronizedAPI `json:"synchronizedAPI,omitempty"`
+
// synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with.
// This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.
// +kubebuilder:validation:Minimum=0
diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go b/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go
index a2343dc39..be5476344 100644
--- a/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go
+++ b/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go
@@ -112,6 +112,7 @@ type MachineTemplateSpec struct {
// MachineSetStatus defines the observed state of MachineSet
// +openshift:validation:FeatureGateAwareXValidation:featureGate=MachineAPIMigration,rule="!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) || (oldSelf.authoritativeAPI == 'Migrating' && self.authoritativeAPI != 'Migrating')",message="synchronizedGeneration must not decrease unless authoritativeAPI is transitioning from Migrating to another value"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=MachineAPIMigration,rule="has(self.authoritativeAPI) || !has(oldSelf.authoritativeAPI)",message="authoritativeAPI may not be removed once set"
type MachineSetStatus struct {
// replicas is the most recently observed number of replicas.
// +optional
@@ -168,6 +169,14 @@ type MachineSetStatus struct {
// +optional
AuthoritativeAPI MachineAuthority `json:"authoritativeAPI,omitempty"`
+ // synchronizedAPI holds the last stable value of authoritativeAPI.
+ // It is used to detect migration cancellation requests and to restore the resource to its previous state.
+ // Valid values are "MachineAPI" and "ClusterAPI".
+ // When omitted, the resource has not yet been reconciled by the migration controller.
+ // +openshift:enable:FeatureGate=MachineAPIMigration
+ // +optional
+ SynchronizedAPI SynchronizedAPI `json:"synchronizedAPI,omitempty"`
+
// synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with.
// This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.
// +kubebuilder:validation:Minimum=0
diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go
index 903faf94b..0d043ad60 100644
--- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go
@@ -94,7 +94,7 @@ func (CPUOptions) SwaggerDoc() map[string]string {
var map_DedicatedHost = map[string]string{
"": "DedicatedHost represents the configuration for the usage of dedicated host.",
- "id": "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by 17 lowercase hexadecimal characters (0-9 and a-f). Must be exactly 19 characters in length.",
+ "id": "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f). The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format. Must be either 10 or 19 characters in length.",
}
func (DedicatedHost) SwaggerDoc() map[string]string {
@@ -626,6 +626,7 @@ var map_MachineStatus = map[string]string{
"phase": "phase represents the current phase of machine actuation. One of: Failed, Provisioning, Provisioned, Running, Deleting",
"conditions": "conditions defines the current state of the Machine",
"authoritativeAPI": "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.",
+ "synchronizedAPI": "synchronizedAPI holds the last stable value of authoritativeAPI. It is used to detect migration cancellation requests and to restore the resource to its previous state. Valid values are \"MachineAPI\" and \"ClusterAPI\". When omitted, the resource has not yet been reconciled by the migration controller.",
"synchronizedGeneration": "synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.",
}
@@ -729,6 +730,7 @@ var map_MachineSetStatus = map[string]string{
"errorReason": "In the event that there is a terminal problem reconciling the replicas, both ErrorReason and ErrorMessage will be set. ErrorReason will be populated with a succinct value suitable for machine interpretation, while ErrorMessage will contain a more verbose string suitable for logging and human consumption.\n\nThese fields should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the MachineTemplate's spec or the configuration of the machine controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the machine controller, or the responsible machine controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines can be added as events to the MachineSet object and/or logged in the controller's output.",
"conditions": "conditions defines the current state of the MachineSet",
"authoritativeAPI": "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.",
+ "synchronizedAPI": "synchronizedAPI holds the last stable value of authoritativeAPI. It is used to detect migration cancellation requests and to restore the resource to its previous state. Valid values are \"MachineAPI\" and \"ClusterAPI\". When omitted, the resource has not yet been reconciled by the migration controller.",
"synchronizedGeneration": "synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.",
}
diff --git a/vendor/github.com/openshift/api/openapi/openapi.json b/vendor/github.com/openshift/api/openapi/openapi.json
index c9a1a8d9a..11bde944a 100644
--- a/vendor/github.com/openshift/api/openapi/openapi.json
+++ b/vendor/github.com/openshift/api/openapi/openapi.json
@@ -4572,6 +4572,19 @@
}
}
},
+ "com.github.openshift.api.config.v1.AcceptRisk": {
+ "description": "AcceptRisk represents a risk that is considered acceptable.",
+ "type": "object",
+ "required": [
+ "name"
+ ],
+ "properties": {
+ "name": {
+ "description": "name is the name of the acceptable risk. It must be a non-empty string and must not exceed 256 characters.",
+ "type": "string"
+ }
+ }
+ },
"com.github.openshift.api.config.v1.AdmissionConfig": {
"type": "object",
"properties": {
@@ -5859,6 +5872,18 @@
"default": {},
"$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterVersionCapabilitiesStatus"
},
+ "conditionalUpdateRisks": {
+ "description": "conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. The risk names in the list must be unique. conditionalUpdateRisks must not contain more than 500 entries.",
+ "type": "array",
+ "items": {
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.config.v1.ConditionalUpdateRisk"
+ },
+ "x-kubernetes-list-map-keys": [
+ "name"
+ ],
+ "x-kubernetes-list-type": "map"
+ },
"conditionalUpdates": {
"description": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.",
"type": "array",
@@ -6066,6 +6091,15 @@
"default": {},
"$ref": "#/definitions/com.github.openshift.api.config.v1.Release"
},
+ "riskNames": {
+ "description": "riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. Entries must be unique and must not exceed 256 characters. riskNames must not contain more than 500 entries.",
+ "type": "array",
+ "items": {
+ "type": "string",
+ "default": ""
+ },
+ "x-kubernetes-list-type": "set"
+ },
"risks": {
"description": "risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update.",
"type": "array",
@@ -6092,6 +6126,18 @@
"matchingRules"
],
"properties": {
+ "conditions": {
+ "description": "conditions represents the observations of the conditional update risk's current status. Known types are: * Applies, for whether the risk applies to the current cluster. The condition's types in the list must be unique. conditions must not contain more than one entry.",
+ "type": "array",
+ "items": {
+ "default": {},
+ "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
+ },
+ "x-kubernetes-list-map-keys": [
+ "type"
+ ],
+ "x-kubernetes-list-type": "map"
+ },
"matchingRules": {
"description": "matchingRules is a slice of conditions for deciding which clusters match the risk and which do not. The slice is ordered by decreasing precedence. The cluster-version operator will walk the slice in order, and stop after the first it can successfully evaluate. If no condition can be successfully evaluated, the update will not be recommended.",
"type": "array",
@@ -6302,7 +6348,7 @@
"x-kubernetes-list-type": "atomic"
},
"minTLSVersion": {
- "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12",
+ "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11",
"type": "string",
"default": ""
}
@@ -6951,26 +6997,6 @@
}
}
},
- "com.github.openshift.api.config.v1.GCPServiceEndpoint": {
- "description": "GCPServiceEndpoint store the configuration of a custom url to override existing defaults of GCP Services.",
- "type": "object",
- "required": [
- "name",
- "url"
- ],
- "properties": {
- "name": {
- "description": "name is the name of the GCP service whose endpoint is being overridden. This must be provided and cannot be empty.\n\nAllowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage, Storage, and TagManager.\n\nAs an example, when setting the name to Compute all requests made by the caller to the GCP Compute Service will be directed to the endpoint specified in the url field.",
- "type": "string",
- "default": ""
- },
- "url": {
- "description": "url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified in the name field. url is required, must use the scheme https, must not be more than 253 characters in length, and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL)\n\nAn example of a valid endpoint that overrides the Compute Service: \"https://compute-myendpoint1.p.googleapis.com\"",
- "type": "string",
- "default": ""
- }
- }
- },
"com.github.openshift.api.config.v1.GatherConfig": {
"description": "GatherConfig provides data gathering configuration options.",
"type": "object",
@@ -8508,7 +8534,7 @@
}
},
"com.github.openshift.api.config.v1.IntermediateTLSProfile": {
- "description": "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29",
+ "description": "IntermediateTLSProfile is a TLS security profile based on the \"intermediate\" configuration of the Mozilla Server Side TLS configuration guidelines.",
"type": "object"
},
"com.github.openshift.api.config.v1.KMSConfig": {
@@ -8786,7 +8812,7 @@
}
},
"com.github.openshift.api.config.v1.ModernTLSProfile": {
- "description": "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility",
+ "description": "ModernTLSProfile is a TLS security profile based on the \"modern\" configuration of the Mozilla Server Side TLS configuration guidelines.",
"type": "object"
},
"com.github.openshift.api.config.v1.NamedCertificate": {
@@ -9670,6 +9696,18 @@
"componentName"
],
"x-kubernetes-list-type": "map"
+ },
+ "userValidationRules": {
+ "description": "userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified.",
+ "type": "array",
+ "items": {
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.config.v1.TokenUserValidationRule"
+ },
+ "x-kubernetes-list-map-keys": [
+ "expression"
+ ],
+ "x-kubernetes-list-type": "map"
}
}
},
@@ -9704,7 +9742,7 @@
}
},
"com.github.openshift.api.config.v1.OldTLSProfile": {
- "description": "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility",
+ "description": "OldTLSProfile is a TLS security profile based on the \"old\" configuration of the Mozilla Server Side TLS configuration guidelines.",
"type": "object"
},
"com.github.openshift.api.config.v1.OpenIDClaims": {
@@ -11282,7 +11320,7 @@
"x-kubernetes-list-type": "atomic"
},
"minTLSVersion": {
- "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12",
+ "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11",
"type": "string",
"default": ""
}
@@ -11293,23 +11331,23 @@
"type": "object",
"properties": {
"custom": {
- "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n ciphers:\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n minTLSVersion: VersionTLS11",
+ "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256",
"$ref": "#/definitions/com.github.openshift.api.config.v1.CustomTLSProfile"
},
"intermediate": {
- "description": "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n minTLSVersion: VersionTLS12",
+ "description": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384",
"$ref": "#/definitions/com.github.openshift.api.config.v1.IntermediateTLSProfile"
},
"modern": {
- "description": "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n minTLSVersion: VersionTLS13",
+ "description": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256",
"$ref": "#/definitions/com.github.openshift.api.config.v1.ModernTLSProfile"
},
"old": {
- "description": "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n - DHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-ECDSA-AES128-SHA256\n\n - ECDHE-RSA-AES128-SHA256\n\n - ECDHE-ECDSA-AES128-SHA\n\n - ECDHE-RSA-AES128-SHA\n\n - ECDHE-ECDSA-AES256-SHA384\n\n - ECDHE-RSA-AES256-SHA384\n\n - ECDHE-ECDSA-AES256-SHA\n\n - ECDHE-RSA-AES256-SHA\n\n - DHE-RSA-AES128-SHA256\n\n - DHE-RSA-AES256-SHA256\n\n - AES128-GCM-SHA256\n\n - AES256-GCM-SHA384\n\n - AES128-SHA256\n\n - AES256-SHA256\n\n - AES128-SHA\n\n - AES256-SHA\n\n - DES-CBC3-SHA\n\n minTLSVersion: VersionTLS10",
+ "description": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA",
"$ref": "#/definitions/com.github.openshift.api.config.v1.OldTLSProfile"
},
"type": {
- "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.",
+ "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.",
"type": "string",
"default": ""
}
@@ -11465,18 +11503,41 @@
}
}
},
+ "com.github.openshift.api.config.v1.TokenClaimValidationCELRule": {
+ "type": "object",
+ "required": [
+ "expression",
+ "message"
+ ],
+ "properties": {
+ "expression": {
+ "description": "expression is a CEL expression evaluated against token claims. expression is required, must be at least 1 character in length and must not exceed 1024 characters. The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one.",
+ "type": "string"
+ },
+ "message": {
+ "description": "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.",
+ "type": "string"
+ }
+ }
+ },
"com.github.openshift.api.config.v1.TokenClaimValidationRule": {
+ "description": "TokenClaimValidationRule represents a validation rule based on token claims. If type is RequiredClaim, requiredClaim must be set. If Type is CEL, CEL must be set and RequiredClaim must be omitted.",
"type": "object",
"required": [
"type"
],
"properties": {
+ "cel": {
+ "description": "cel holds the CEL expression and message for validation. Must be set when Type is \"CEL\", and forbidden otherwise.",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.config.v1.TokenClaimValidationCELRule"
+ },
"requiredClaim": {
- "description": "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.",
+ "description": "requiredClaim allows configuring a required claim name and its expected value. This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider.",
"$ref": "#/definitions/com.github.openshift.api.config.v1.TokenRequiredClaim"
},
"type": {
- "description": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.",
+ "description": "type is an optional field that configures the type of the validation rule.\n\nAllowed values are \"RequiredClaim\" and \"CEL\".\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nWhen set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression.",
"type": "string",
"default": ""
}
@@ -11518,6 +11579,10 @@
},
"x-kubernetes-list-type": "set"
},
+ "discoveryURL": {
+ "description": "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.",
+ "type": "string"
+ },
"issuerCertificateAuthority": {
"description": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.",
"default": {},
@@ -11549,10 +11614,40 @@
}
}
},
+ "com.github.openshift.api.config.v1.TokenUserValidationRule": {
+ "description": "TokenUserValidationRule provides a CEL-based rule used to validate a token subject. Each rule contains a CEL expression that is evaluated against the token’s claims.",
+ "type": "object",
+ "required": [
+ "expression",
+ "message"
+ ],
+ "properties": {
+ "expression": {
+ "description": "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.",
+ "type": "string"
+ },
+ "message": {
+ "description": "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.",
+ "type": "string"
+ }
+ }
+ },
"com.github.openshift.api.config.v1.Update": {
"description": "Update represents an administrator update request.",
"type": "object",
"properties": {
+ "acceptRisks": {
+ "description": "acceptRisks is an optional set of names of conditional update risks that are considered acceptable. A conditional update is performed only if all of its risks are acceptable. This list may contain entries that apply to current, previous or future updates. The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. acceptRisks must not contain more than 1000 entries. Entries in this list must be unique.",
+ "type": "array",
+ "items": {
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.config.v1.AcceptRisk"
+ },
+ "x-kubernetes-list-map-keys": [
+ "name"
+ ],
+ "x-kubernetes-list-type": "map"
+ },
"architecture": {
"description": "architecture is an optional field that indicates the desired value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. architecture can only be set to Multi thereby only allowing updates from single to multi architecture. If architecture is set, image cannot be set and version must be set. Valid values are 'Multi' and empty.",
"type": "string",
@@ -11587,7 +11682,7 @@
],
"properties": {
"acceptedRisks": {
- "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.",
+ "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.",
"type": "string"
},
"completionTime": {
@@ -12240,6 +12335,103 @@
"com.github.openshift.api.config.v1alpha1.BackupStatus": {
"type": "object"
},
+ "com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig": {
+ "description": "CRIOCredentialProviderConfig holds cluster-wide configurations for CRI-O credential provider. CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources. For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in. CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+ "type": "object",
+ "required": [
+ "spec"
+ ],
+ "properties": {
+ "apiVersion": {
+ "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+ "type": "string"
+ },
+ "kind": {
+ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+ "type": "string"
+ },
+ "metadata": {
+ "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+ "default": {},
+ "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
+ },
+ "spec": {
+ "description": "spec defines the desired configuration of the CRIO Credential Provider.",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec"
+ },
+ "status": {
+ "description": "status represents the current state of the CRIOCredentialProviderConfig.",
+ "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus"
+ }
+ }
+ },
+ "com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigList": {
+ "description": "CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+ "type": "object",
+ "required": [
+ "metadata",
+ "items"
+ ],
+ "properties": {
+ "apiVersion": {
+ "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+ "type": "string"
+ },
+ "items": {
+ "type": "array",
+ "items": {
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig"
+ }
+ },
+ "kind": {
+ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+ "type": "string"
+ },
+ "metadata": {
+ "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+ "default": {},
+ "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
+ }
+ }
+ },
+ "com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec": {
+ "description": "CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.",
+ "type": "object",
+ "required": [
+ "matchImages"
+ ],
+ "properties": {
+ "matchImages": {
+ "description": "matchImages is a required list of string patterns used to determine whether the CRI-O credential provider should be invoked for a given image. This list is passed to the kubelet CredentialProviderConfig, and if any pattern matches the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling that image or its mirrors.\n\nFor more details, see: - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/ - https://github.com/cri-o/crio-credential-provider#architecture\n\nEach entry in matchImages is a pattern which can optionally contain a port and a path. Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io', and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net'). Wildcards are not allowed in the port or path, nor may they appear in the middle of a hostname label. For example, '*.example.com' is valid, but 'example*.*.com' is not. Each wildcard matches only a single domain label, so '*.io' does **not** match '*.k8s.io'.\n\nA match exists between an image and a matchImage when all of the below are true: - Both contain the same number of domain parts and each part matches. - The URL path of an matchImages must be a prefix of the target image URL path. - If the matchImages contains a port, then the port must match in the image as well.\n\nExample values of matchImages: - 123456789.dkr.ecr.us-east-1.amazonaws.com - *.azurecr.io - gcr.io - *.*.registry.io - registry.io:8080/path",
+ "type": "array",
+ "items": {
+ "type": "string",
+ "default": ""
+ },
+ "x-kubernetes-list-type": "set"
+ }
+ }
+ },
+ "com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus": {
+ "description": "CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig",
+ "type": "object",
+ "properties": {
+ "conditions": {
+ "description": "conditions represent the latest available observations of the configuration state",
+ "type": "array",
+ "items": {
+ "default": {},
+ "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
+ },
+ "x-kubernetes-list-map-keys": [
+ "type"
+ ],
+ "x-kubernetes-list-type": "map"
+ }
+ }
+ },
"com.github.openshift.api.config.v1alpha1.ClusterImagePolicy": {
"description": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
"type": "object",
@@ -23640,7 +23832,7 @@
],
"properties": {
"id": {
- "description": "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by 17 lowercase hexadecimal characters (0-9 and a-f). Must be exactly 19 characters in length.",
+ "description": "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f). The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format. Must be either 10 or 19 characters in length.",
"type": "string"
}
}
@@ -28861,7 +29053,7 @@
],
"properties": {
"name": {
- "description": "name is the unique name of a capability. Available capabilities are LightspeedButton and GettingStartedBanner.",
+ "description": "name is the unique name of a capability. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.",
"type": "string",
"default": ""
},
@@ -29510,7 +29702,7 @@
"type": "string"
},
"capabilities": {
- "description": "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton and GettingStartedBanner. Each of the available capabilities may appear only once in the list.",
+ "description": "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. Each of the available capabilities may appear only once in the list.",
"type": "array",
"items": {
"default": {},
diff --git a/vendor/github.com/openshift/api/operator/v1/types_console.go b/vendor/github.com/openshift/api/operator/v1/types_console.go
index e030a65c8..35795b2b7 100644
--- a/vendor/github.com/openshift/api/operator/v1/types_console.go
+++ b/vendor/github.com/openshift/api/operator/v1/types_console.go
@@ -107,6 +107,9 @@ const (
// gettingStartedBanner is the name of the 'Getting started resources' banner in the console UI Overview page.
GettingStartedBanner ConsoleCapabilityName = "GettingStartedBanner"
+
+ // guidedTour is the name of the 'Guided Tour' feature in console UI.
+ GuidedTour ConsoleCapabilityName = "GuidedTour"
)
// CapabilityState defines the state of the capability in the console UI.
@@ -134,8 +137,8 @@ type CapabilityVisibility struct {
// Capabilities contains set of UI capabilities and their state in the console UI.
type Capability struct {
// name is the unique name of a capability.
- // Available capabilities are LightspeedButton and GettingStartedBanner.
- // +kubebuilder:validation:Enum:="LightspeedButton";"GettingStartedBanner"
+ // Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.
+ // +kubebuilder:validation:Enum:="LightspeedButton";"GettingStartedBanner";"GuidedTour"
// +required
Name ConsoleCapabilityName `json:"name"`
// visibility defines the visibility state of the capability.
@@ -281,10 +284,10 @@ type ConsoleCustomization struct {
// capabilities defines an array of capabilities that can be interacted with in the console UI.
// Each capability defines a visual state that can be interacted with the console to render in the UI.
- // Available capabilities are LightspeedButton and GettingStartedBanner.
+ // Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.
// Each of the available capabilities may appear only once in the list.
// +kubebuilder:validation:MinItems=1
- // +kubebuilder:validation:MaxItems=2
+ // +kubebuilder:validation:MaxItems=3
// +listType=map
// +listMapKey=name
// +optional
diff --git a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go
index c6bcd22bc..f5836af0f 100644
--- a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go
+++ b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go
@@ -18,7 +18,8 @@ import (
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue() : true",message="when skew enforcement is in Automatic mode, a boot image configuration is required"
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') : true",message="when skew enforcement is in Automatic mode, managedBootImages must contain a MachineManager opting in all MachineAPI MachineSets"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers) > 0 : true",message="when skew enforcement is in Automatic mode, managedBootImages.machineManagers must not be an empty list"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m, m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') || self.spec.managedBootImages.machineManagers.exists(m, m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io' && m.selection.mode == 'All') : true",message="when skew enforcement is in Automatic mode, any MachineAPI MachineSet MachineManager must use selection mode 'All'"
// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) || self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io'): true",message="when skew enforcement is in Automatic mode, managedBootImagesStatus must contain a MachineManager opting in all MachineAPI MachineSets"
type MachineConfiguration struct {
metav1.TypeMeta `json:",inline"`
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
index 06096a6c8..64aac26eb 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
@@ -210,7 +210,7 @@ func (AddPage) SwaggerDoc() map[string]string {
var map_Capability = map[string]string{
"": "Capabilities contains set of UI capabilities and their state in the console UI.",
- "name": "name is the unique name of a capability. Available capabilities are LightspeedButton and GettingStartedBanner.",
+ "name": "name is the unique name of a capability. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.",
"visibility": "visibility defines the visibility state of the capability.",
}
@@ -259,7 +259,7 @@ func (ConsoleConfigRoute) SwaggerDoc() map[string]string {
var map_ConsoleCustomization = map[string]string{
"": "ConsoleCustomization defines a list of optional configuration for the console UI. Ensure that Logos and CustomLogoFile cannot be set at the same time.",
"logos": "logos is used to replace the OpenShift Masthead and Favicon logos in the console UI with custom logos. logos is an optional field that allows a list of logos. Only one of logos or customLogoFile can be set at a time. If logos is set, customLogoFile must be unset. When specified, there must be at least one entry and no more than 2 entries. Each type must appear only once in the list.",
- "capabilities": "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton and GettingStartedBanner. Each of the available capabilities may appear only once in the list.",
+ "capabilities": "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. Each of the available capabilities may appear only once in the list.",
"brand": "brand is the default branding of the web console which can be overridden by providing the brand field. There is a limited set of specific brand options. This field controls elements of the console such as the logo. Invalid value will prevent a console rollout.",
"documentationBaseURL": "documentationBaseURL links to external documentation are shown in various sections of the web console. Providing documentationBaseURL will override the default documentation URL. Invalid value will prevent a console rollout.",
"customProductName": "customProductName is the name that will be displayed in page titles, logo alt text, and the about dialog instead of the normal OpenShift product name.",
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 47a5b97db..89726f665 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -62,7 +62,7 @@ github.com/modern-go/reflect2
# github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
## explicit
github.com/munnerz/goautoneg
-# github.com/openshift/api v0.0.0-20260107103503-6d35063ca179
+# github.com/openshift/api v0.0.0-20260107103503-6d35063ca179 => github.com/QiWang19/api v0.0.0-20260116202510-c9eef661b38c
## explicit; go 1.24.0
github.com/openshift/api
github.com/openshift/api/apiextensions
@@ -531,3 +531,4 @@ sigs.k8s.io/structured-merge-diff/v6/value
# sigs.k8s.io/yaml v1.6.0
## explicit; go 1.22
sigs.k8s.io/yaml
+# github.com/openshift/api => github.com/QiWang19/api v0.0.0-20260116202510-c9eef661b38c