diff --git a/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml index 0b6e6d4700c..91a3dca2367 100644 --- a/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -617,6 +617,73 @@ tests: claim: "preferred_username" groups: claim: "" + - name: Cannot set prefixPolicy to Prefix when using username expression + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + expression: "claims.sub" + prefixPolicy: Prefix + prefix: + prefixString: "myoidc:" + expectedError: "prefixPolicy must not be set to 'Prefix' when expression is set" + + - name: Can set prefixPolicy to NoPrefix when using username expression + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + expression: "claims.sub" + prefixPolicy: NoPrefix + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + expression: "claims.sub" + prefixPolicy: NoPrefix + + - name: Cannot set prefix when using groups expression + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + groups: + expression: "claims.groups" + prefix: "oidc-group:" + expectedError: "prefix must not be set when expression is set" onUpdate: - name: Should allow updating other fields if existing username claim mapping is longer than 256 characters initialCRDPatches: diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index 64d0f399b09..1aecd2b99d9 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -618,6 +618,7 @@ type OIDCClientReference struct { // +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC,rule="has(self.claim)",message="claim is required" // +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUIDAndExtraClaimMappings,rule="has(self.claim)",message="claim is required" // +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.claim) ? !has(self.expression) : has(self.expression)",message="precisely one of claim or expression must be set" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.expression) && size(self.expression) > 0 ? !has(self.prefixPolicy) || self.prefixPolicy != 'Prefix' : true",message="prefixPolicy must not be set to 'Prefix' when expression is set" type UsernameClaimMapping struct { // claim is an optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. // claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. @@ -710,6 +711,7 @@ type UsernamePrefix struct { // PrefixedClaimMapping configures a claim mapping // that allows for an optional prefix. +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.expression) && size(self.expression) > 0 ? self.prefix == \"\" : true",message="prefix must not be set when expression is set" type PrefixedClaimMapping struct { TokenClaimMapping `json:",inline"` diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index b4b8eb306fa..75b67deffa3 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -218,6 +218,9 @@ spec: type: string type: object x-kubernetes-validations: + - message: prefix must not be set when expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? self.prefix == "" : true' - message: expression must not be set if claim is specified and is not an empty string rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression) @@ -341,6 +344,11 @@ spec: - message: precisely one of claim or expression must be set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + - message: prefixPolicy must not be set to 'Prefix' when + expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? !has(self.prefixPolicy) || self.prefixPolicy != + ''Prefix'' : true' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy == diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index c46017aa3d2..aad7d968992 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -218,6 +218,9 @@ spec: type: string type: object x-kubernetes-validations: + - message: prefix must not be set when expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? self.prefix == "" : true' - message: expression must not be set if claim is specified and is not an empty string rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression) @@ -341,6 +344,11 @@ spec: - message: precisely one of claim or expression must be set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + - message: prefixPolicy must not be set to 'Prefix' when + expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? !has(self.prefixPolicy) || self.prefixPolicy != + ''Prefix'' : true' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy == diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index 9da4945a7f3..4cd3607fc26 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -218,6 +218,9 @@ spec: type: string type: object x-kubernetes-validations: + - message: prefix must not be set when expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? self.prefix == "" : true' - message: expression must not be set if claim is specified and is not an empty string rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression) @@ -341,6 +344,11 @@ spec: - message: precisely one of claim or expression must be set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + - message: prefixPolicy must not be set to 'Prefix' when + expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? !has(self.prefixPolicy) || self.prefixPolicy != + ''Prefix'' : true' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy == diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml index ba00be69c86..76926d45d80 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -123,6 +123,9 @@ spec: type: string type: object x-kubernetes-validations: + - message: prefix must not be set when expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? self.prefix == "" : true' - message: expression must not be set if claim is specified and is not an empty string rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression) @@ -204,6 +207,11 @@ spec: - message: precisely one of claim or expression must be set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + - message: prefixPolicy must not be set to 'Prefix' when + expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? !has(self.prefixPolicy) || self.prefixPolicy != + ''Prefix'' : true' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy == diff --git a/openapi/openapi.json b/openapi/openapi.json index 039a2d2007b..ce7da15e828 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -15949,6 +15949,10 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.APIServerServingCerts" }, + "tlsAdherence": { + "description": "tlsAdherence controls if components in the cluster adhere to the TLS security profile configured on this APIServer resource.\n\nValid values are \"LegacyAdheringComponentsOnly\" and \"StrictAllComponents\".\n\nWhen set to \"LegacyAdheringComponentsOnly\", components that already honor the cluster-wide TLS profile continue to do so. Components that do not already honor it continue to use their individual TLS configurations.\n\nWhen set to \"StrictAllComponents\", all components must honor the configured TLS profile unless they have a component-specific TLS configuration that overrides it. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks.\n\nNote: Some components such as Kubelet and IngressController have their own dedicated TLS configuration mechanisms via KubeletConfig and IngressController CRs respectively. When these component-specific TLS configurations are set, they take precedence over the cluster-wide tlsSecurityProfile. When not set, these components fall back to the cluster-wide default.\n\nComponents that encounter an unknown value for tlsAdherence should treat it as \"StrictAllComponents\" and log a warning to ensure forward compatibility while defaulting to the more secure behavior.\n\nThis field is optional. When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is LegacyAdheringComponentsOnly.\n\nOnce set, this field may be changed to a different value, but may not be removed.", + "type": "string" + }, "tlsSecurityProfile": { "description": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nWhen omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is the Intermediate profile.", "$ref": "#/definitions/com.github.openshift.api.config.v1.TLSSecurityProfile" @@ -24078,109 +24082,6 @@ } } }, - "com.github.openshift.api.config.v1alpha1.ClusterImagePolicy": { - "description": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/ObjectMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "spec": { - "description": "spec contains the configuration for the cluster image policy.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ClusterImagePolicySpec" - }, - "status": { - "description": "status contains the observed state of the resource.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ClusterImagePolicyStatus" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ClusterImagePolicyList": { - "description": "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ClusterImagePolicy" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/ListMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ClusterImagePolicySpec": { - "description": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", - "type": "object", - "required": [ - "scopes", - "policy" - ], - "properties": { - "policy": { - "description": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy" - }, - "scopes": { - "description": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", - "type": "array", - "items": { - "type": "string", - "default": "" - }, - "x-kubernetes-list-type": "set" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ClusterImagePolicyStatus": { - "type": "object", - "properties": { - "conditions": { - "description": "conditions provide details on the status of this API Resource.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/Condition.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - } - } - }, "com.github.openshift.api.config.v1alpha1.ClusterMonitoring": { "description": "ClusterMonitoring is the Custom Resource object which holds the current status of Cluster Monitoring Operator. CMO is a central component of the monitoring stack.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. ClusterMonitoring is the Schema for the Cluster Monitoring Operators API", "type": "object", @@ -24443,198 +24344,6 @@ } } }, - "com.github.openshift.api.config.v1alpha1.ImagePolicy": { - "description": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/ObjectMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "spec": { - "description": "spec holds user settable values for configuration", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicySpec" - }, - "status": { - "description": "status contains the observed state of the resource.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyStatus" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust": { - "description": "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", - "type": "object", - "required": [ - "fulcioCAData", - "rekorKeyData", - "fulcioSubject" - ], - "properties": { - "fulcioCAData": { - "description": "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - "type": "string", - "format": "byte" - }, - "fulcioSubject": { - "description": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject" - }, - "rekorKeyData": { - "description": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImagePolicyList": { - "description": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicy" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/ListMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust": { - "description": "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - "type": "object", - "required": [ - "caRootsData", - "pkiCertificateSubject" - ], - "properties": { - "caIntermediatesData": { - "description": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", - "type": "string", - "format": "byte" - }, - "caRootsData": { - "description": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", - "type": "string", - "format": "byte" - }, - "pkiCertificateSubject": { - "description": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PKICertificateSubject" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust": { - "description": "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", - "type": "object", - "required": [ - "keyData" - ], - "properties": { - "keyData": { - "description": "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - }, - "rekorKeyData": { - "description": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImagePolicySpec": { - "description": "ImagePolicySpec is the specification of the ImagePolicy CRD.", - "type": "object", - "required": [ - "scopes", - "policy" - ], - "properties": { - "policy": { - "description": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy" - }, - "scopes": { - "description": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", - "type": "array", - "items": { - "type": "string", - "default": "" - }, - "x-kubernetes-list-type": "set" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImagePolicyStatus": { - "type": "object", - "properties": { - "conditions": { - "description": "conditions provide details on the status of this API Resource.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/Condition.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy": { - "description": "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", - "type": "object", - "required": [ - "rootOfTrust" - ], - "properties": { - "rootOfTrust": { - "description": "rootOfTrust specifies the root of trust for the policy.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust" - }, - "signedIdentity": { - "description": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyIdentity" - } - } - }, "com.github.openshift.api.config.v1alpha1.InsightsDataGather": { "description": "InsightsDataGather provides data gather configuration options for the the Insights Operator.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -25049,20 +24758,6 @@ } ] }, - "com.github.openshift.api.config.v1alpha1.PKICertificateSubject": { - "description": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - "type": "object", - "properties": { - "email": { - "description": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email should be a valid email address and at most 320 characters in length.", - "type": "string" - }, - "hostname": { - "description": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", - "type": "string" - } - } - }, "com.github.openshift.api.config.v1alpha1.PKIList": { "description": "PKIList is a collection of PKI resources.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -25154,138 +24849,19 @@ "description": "persistentVolumeConfig provides configuration options for PersistentVolume storage.", "type": "object", "required": [ - "claim" - ], - "properties": { - "claim": { - "description": "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PersistentVolumeClaimReference" - }, - "mountPath": { - "description": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", - "type": "string" - } - } - }, - "com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject": { - "description": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", - "type": "object", - "required": [ - "oidcIssuer", - "signedEmail" - ], - "properties": { - "oidcIssuer": { - "description": "oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", - "type": "string", - "default": "" - }, - "signedEmail": { - "description": "signedEmail holds the email address the the Fulcio certificate is issued for. Example: \"expected-signing-user@example.com\"", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.config.v1alpha1.PolicyIdentity": { - "description": "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", - "type": "object", - "required": [ - "matchPolicy" - ], - "properties": { - "exactRepository": { - "description": "exactRepository is required if matchPolicy is set to \"ExactRepository\".", - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyMatchExactRepository" - }, - "matchPolicy": { - "description": "matchPolicy sets the type of matching to be used. Valid values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". If set matchPolicy to ExactRepository, then the exactRepository must be specified. If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. \"MatchRepoDigestOrExact\" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. \"MatchRepository\" means that the identity in the signature must be in the same repository as the image identity. \"ExactRepository\" means that the identity in the signature must be in the same repository as a specific identity specified by \"repository\". \"RemapIdentity\" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", - "type": "string", - "default": "" - }, - "remapIdentity": { - "description": "remapIdentity is required if matchPolicy is set to \"RemapIdentity\".", - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyMatchRemapIdentity" - } - }, - "x-kubernetes-unions": [ - { - "discriminator": "matchPolicy", - "fields-to-discriminateBy": { - "exactRepository": "PolicyMatchExactRepository", - "remapIdentity": "PolicyMatchRemapIdentity" - } - } - ] - }, - "com.github.openshift.api.config.v1alpha1.PolicyMatchExactRepository": { - "type": "object", - "required": [ - "repository" - ], - "properties": { - "repository": { - "description": "repository is the reference of the image identity to be matched. The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.config.v1alpha1.PolicyMatchRemapIdentity": { - "type": "object", - "required": [ - "prefix", - "signedPrefix" - ], - "properties": { - "prefix": { - "description": "prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", - "type": "string", - "default": "" - }, - "signedPrefix": { - "description": "signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust": { - "description": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - "type": "object", - "required": [ - "policyType" - ], - "properties": { - "fulcioCAWithRekor": { - "description": "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust" - }, - "pki": { - "description": "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust" - }, - "policyType": { - "description": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", - "type": "string", - "default": "" - }, - "publicKey": { - "description": "publicKey defines the root of trust based on a sigstore public key.", - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust" - } - }, - "x-kubernetes-unions": [ - { - "discriminator": "policyType", - "fields-to-discriminateBy": { - "fulcioCAWithRekor": "FulcioCAWithRekor", - "pki": "PKI", - "publicKey": "PublicKey" - } + "claim" + ], + "properties": { + "claim": { + "description": "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PersistentVolumeClaimReference" + }, + "mountPath": { + "description": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", + "type": "string" } - ] + } }, "com.github.openshift.api.config.v1alpha1.PrometheusConfig": { "description": "PrometheusConfig provides configuration options for the Prometheus instance. Use this configuration to control Prometheus deployment, pod scheduling, resource allocation, retention policies, and external integrations.", @@ -38699,214 +38275,6 @@ } } }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MCOObjectReference": { - "description": "MCOObjectReference holds information about an object the MCO either owns or modifies in some way", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "name is the name of the object being referenced. For example, this can represent a machine config pool or node name. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNode": { - "description": "MachineConfigNode describes the health of the Machines on the system Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object metadata.", - "default": {}, - "$ref": "#/definitions/ObjectMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "spec": { - "description": "spec describes the configuration of the machine config node.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeSpec" - }, - "status": { - "description": "status describes the last observed state of this machine config node.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatus" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeList": { - "description": "MachineConfigNodeList describes all of the MachinesStates on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items contains a collection of MachineConfigNode resources.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNode" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list metadata.", - "default": {}, - "$ref": "#/definitions/ListMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeSpec": { - "description": "MachineConfigNodeSpec describes the MachineConfigNode we are managing.", - "type": "object", - "required": [ - "node", - "pool", - "configVersion" - ], - "properties": { - "configVersion": { - "description": "configVersion holds the desired config version for the node targeted by this machine config node resource. The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates the new machine config against the current machine config.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeSpecMachineConfigVersion" - }, - "node": { - "description": "node contains a reference to the node for this machine config node.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MCOObjectReference" - }, - "pool": { - "description": "pool contains a reference to the machine config pool that this machine config node's referenced node belongs to.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MCOObjectReference" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeSpecMachineConfigVersion": { - "description": "MachineConfigNodeSpecMachineConfigVersion holds the desired config version for the current observed machine config node. When Current is not equal to Desired, the MachineConfigOperator is in an upgrade phase and the machine config node will take account of upgrade related events. Otherwise, they will be ignored given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", - "type": "object", - "required": [ - "desired" - ], - "properties": { - "desired": { - "description": "desired is the name of the machine config that the the node should be upgraded to. This value is set when the machine config pool generates a new version of its rendered configuration. When this value is changed, the machine config daemon starts the node upgrade process. This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatus": { - "description": "MachineConfigNodeStatus holds the reported information on a particular machine config node.", - "type": "object", - "required": [ - "configVersion" - ], - "properties": { - "conditions": { - "description": "conditions represent the observations of a machine config node's current state.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/Condition.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "configVersion": { - "description": "configVersion describes the current and desired machine config version for this node.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatusMachineConfigVersion" - }, - "observedGeneration": { - "description": "observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec.", - "type": "integer", - "format": "int64" - }, - "pinnedImageSets": { - "description": "pinnedImageSets describes the current and desired pinned image sets for this node.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatusPinnedImageSet" - }, - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatusMachineConfigVersion": { - "description": "MachineConfigNodeStatusMachineConfigVersion holds the current and desired config versions as last updated in the MCN status. When the current and desired versions do not match, the machine config pool is processing an upgrade and the machine config node will monitor the upgrade process. When the current and desired versions do match, the machine config node will ignore these events given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", - "type": "object", - "required": [ - "desired" - ], - "properties": { - "current": { - "description": "current is the name of the machine config currently in use on the node. This value is updated once the machine config daemon has completed the update of the configuration for the node. This value should match the desired version unless an upgrade is in progress. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - "type": "string", - "default": "" - }, - "desired": { - "description": "desired is the MachineConfig the node wants to upgrade to. This value gets set in the machine config node status once the machine config has been validated against the current machine config. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatusPinnedImageSet": { - "description": "MachineConfigNodeStatusPinnedImageSet holds information about the current, desired, and failed pinned image sets for the observed machine config node.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "currentGeneration": { - "description": "currentGeneration is the generation of the pinned image set that has most recently been successfully pulled and pinned on this node.", - "type": "integer", - "format": "int32" - }, - "desiredGeneration": { - "description": "desiredGeneration is the generation of the pinned image set that is targeted to be pulled and pinned on this node.", - "type": "integer", - "format": "int32" - }, - "lastFailedGeneration": { - "description": "lastFailedGeneration is the generation of the most recent pinned image set that failed to be pulled and pinned on this node.", - "type": "integer", - "format": "int32" - }, - "lastFailedGenerationError": { - "description": "lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. The error is an empty string if the image pull and pin is successful.", - "type": "string" - }, - "name": { - "description": "name is the name of the pinned image set. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - "type": "string", - "default": "" - } - } - }, "com.github.openshift.api.machineconfiguration.v1alpha1.OSImageStream": { "description": "OSImageStream describes a set of streams and associated images available for the MachineConfigPools to be used as base OS images.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -38995,7 +38363,7 @@ "type": "object", "properties": { "defaultStream": { - "description": "defaultStream is the desired name of the stream that should be used as the default when no specific stream is requested by a MachineConfigPool.\n\nThis field is set by the installer during installation. Users may need to update it if the currently selected stream is no longer available, for example when the stream has reached its End of Life. The MachineConfigOperator uses this value to determine which stream from status.availableStreams to apply as the default for MachineConfigPools that do not specify a stream override.\n\nWhen status.availableStreams has been populated by the operator, updating this field requires that the new value references the name of one of the streams in status.availableStreams. Status-only updates by the operator are not subject to this constraint, allowing the operator to update availableStreams independently of this field. During initial creation, before the operator has populated status, any valid value is accepted.\n\nWhen omitted, the operator determines the default stream automatically.\n\nIt must be a valid RFC 1123 subdomain between 1 and 253 characters in length, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.').", + "description": "defaultStream is the desired name of the stream that should be used as the default when no specific stream is requested by a MachineConfigPool.\n\nThis field is set by the installer during installation. Users may need to update it if the currently selected stream is no longer available, for example when the stream has reached its End of Life. The MachineConfigOperator uses this value to determine which stream from status.availableStreams to apply as the default for MachineConfigPools that do not specify a stream override.\n\nWhen status.availableStreams has been populated by the operator, updating this field requires that the new value references the name of one of the streams in status.availableStreams. Status-only updates by the operator are not subject to this constraint, allowing the operator to update availableStreams independently of this field. During initial creation, before the operator has populated status, any valid value is accepted.\n\nWhen omitted, the operator determines the default stream automatically. Once set, this field cannot be removed.\n\nIt must be a valid RFC 1123 subdomain between 1 and 253 characters in length, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.').", "type": "string" } } @@ -39026,118 +38394,6 @@ } } }, - "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageRef": { - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "name is an OCI Image referenced by digest. The format of the image pull spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", - "type": "string" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSet": { - "description": "PinnedImageSet describes a set of images that should be pinned by CRI-O and pulled to the nodes which are members of the declared MachineConfigPools.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "default": {}, - "$ref": "#/definitions/ObjectMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "spec": { - "description": "spec describes the configuration of this pinned image set.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetSpec" - }, - "status": { - "description": "status describes the last observed state of this pinned image set.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetStatus" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetList": { - "description": "PinnedImageSetList is a list of PinnedImageSet resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSet" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/ListMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetSpec": { - "description": "PinnedImageSetSpec defines the desired state of a PinnedImageSet.", - "type": "object", - "required": [ - "pinnedImages" - ], - "properties": { - "pinnedImages": { - "description": "pinnedImages is a list of OCI Image referenced by digest that should be pinned and pre-loaded by the nodes of a MachineConfigPool. Translates into a new file inside the /etc/crio/crio.conf.d directory with content similar to this:\n\n pinned_images = [\n \"quay.io/openshift-release-dev/ocp-release@sha256:...\",\n \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...\",\n \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...\",\n ...\n ]\n\nThese image references should all be by digest, tags aren't allowed.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageRef" - }, - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetStatus": { - "description": "PinnedImageSetStatus describes the current state of a PinnedImageSet.", - "type": "object", - "properties": { - "conditions": { - "description": "conditions represent the observations of a pinned image set's current state.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/Condition.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - } - } - }, "com.github.openshift.api.monitoring.v1.AlertRelabelConfig": { "description": "AlertRelabelConfig defines a set of relabel configs for alerts.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index b4b8eb306fa..75b67deffa3 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -218,6 +218,9 @@ spec: type: string type: object x-kubernetes-validations: + - message: prefix must not be set when expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? self.prefix == "" : true' - message: expression must not be set if claim is specified and is not an empty string rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression) @@ -341,6 +344,11 @@ spec: - message: precisely one of claim or expression must be set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + - message: prefixPolicy must not be set to 'Prefix' when + expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? !has(self.prefixPolicy) || self.prefixPolicy != + ''Prefix'' : true' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy == diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index c46017aa3d2..aad7d968992 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -218,6 +218,9 @@ spec: type: string type: object x-kubernetes-validations: + - message: prefix must not be set when expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? self.prefix == "" : true' - message: expression must not be set if claim is specified and is not an empty string rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression) @@ -341,6 +344,11 @@ spec: - message: precisely one of claim or expression must be set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + - message: prefixPolicy must not be set to 'Prefix' when + expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? !has(self.prefixPolicy) || self.prefixPolicy != + ''Prefix'' : true' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy == diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index 9da4945a7f3..4cd3607fc26 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -218,6 +218,9 @@ spec: type: string type: object x-kubernetes-validations: + - message: prefix must not be set when expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? self.prefix == "" : true' - message: expression must not be set if claim is specified and is not an empty string rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression) @@ -341,6 +344,11 @@ spec: - message: precisely one of claim or expression must be set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' + - message: prefixPolicy must not be set to 'Prefix' when + expression is set + rule: 'has(self.expression) && size(self.expression) > + 0 ? !has(self.prefixPolicy) || self.prefixPolicy != + ''Prefix'' : true' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy ==