diff --git a/go.mod b/go.mod index 6d839e7689ae..53979d143dda 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( github.com/onsi/ginkgo/v2 v2.20.2 github.com/onsi/gomega v1.34.2 github.com/opencontainers/go-digest v1.0.0 - github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f + github.com/openshift/api v0.0.0-20241128230347-e456392b2cb4 github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6 github.com/openshift/build-machinery-go v0.0.0-20240613134303-8359781da660 github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f diff --git a/go.sum b/go.sum index 56ba48e9cb28..b4f2db2edfdc 100644 --- a/go.sum +++ b/go.sum @@ -670,8 +670,8 @@ github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78 h1:R github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU= github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f h1:ya1OmyZm3LIIxI3U9VE9Nyx3ehCHgBwxyFUPflYPWls= -github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= +github.com/openshift/api v0.0.0-20241128230347-e456392b2cb4 h1:k0v6SS4fSCw73XkS6gNDfZdRqh+r7gJ81Haa+5Ab0VM= +github.com/openshift/api v0.0.0-20241128230347-e456392b2cb4/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6 h1:Wban+ggY6sbg611SQSOeavUeug2cRJGz0rEeXxTxIH0= github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6/go.mod h1:9Anrq7+DZmmw1Brchx4zmh26hAZbe6Dv7bGXRclnhYI= github.com/openshift/build-machinery-go v0.0.0-20240613134303-8359781da660 h1:F0zE2bmdVvaEd18VXuGYQdJJ1FYJu4MIDW9PYZWc9No= diff --git a/test/extended/include.go b/test/extended/include.go index fd750e5288c0..0b3c14065f67 100644 --- a/test/extended/include.go +++ b/test/extended/include.go @@ -39,6 +39,7 @@ import ( _ "github.com/openshift/origin/test/extended/machine_config" _ "github.com/openshift/origin/test/extended/machines" _ "github.com/openshift/origin/test/extended/networking" + _ "github.com/openshift/origin/test/extended/node" _ "github.com/openshift/origin/test/extended/node_tuning" _ "github.com/openshift/origin/test/extended/oauth" _ "github.com/openshift/origin/test/extended/olm" diff --git a/test/extended/node/minimum_kubelet_version.go b/test/extended/node/minimum_kubelet_version.go new file mode 100644 index 000000000000..302f55cce67f --- /dev/null +++ b/test/extended/node/minimum_kubelet_version.go @@ -0,0 +1,266 @@ +package node + +import ( + "context" + "errors" + "fmt" + "strings" + "time" + + "github.com/onsi/ginkgo/v2" + g "github.com/onsi/ginkgo/v2" + o "github.com/onsi/gomega" + operatorv1client "github.com/openshift/client-go/operator/clientset/versioned" + "github.com/openshift/origin/pkg/test/ginkgo/result" + exutil "github.com/openshift/origin/test/extended/util" + authorizationv1 "k8s.io/api/authorization/v1" + v1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + clientset "k8s.io/client-go/kubernetes" + restclient "k8s.io/client-go/rest" + "k8s.io/kubernetes/test/e2e/framework" +) + +const ( + nodesGroup = "system:nodes" + nodeNamePrefix = "system:node:" + desiredTestDuration = 25 * time.Minute +) + +var _ = g.Describe("[sig-node][OCPFeatureGate:MinimumKubeletVersion] admission", func() { + defer g.GinkgoRecover() + + oc := exutil.NewCLIWithoutNamespace("minimum-kubelet-version") + + g.DescribeTable("admission", func(version string, expectedErr bool) { + defer updateMinimumKubeletVersion(oc, version, expectedErr) + }, + g.Entry("should allow an empty minimum kubelet version", "", false), + g.Entry("should allow an old minimum kubelet version", "1.30.0", false), + g.Entry("should not allow with a new minimum kubelet version", "1.100.0", true), + g.Entry("should not allow with a new minimum kubelet version", "1.100.0", true), + ) +}) + +type minimumKubeletVersionAuthTestCase struct { + testName string + kubeletVersion string + testFunc func() +} + +var _ = g.Describe("[sig-node][OCPFeatureGate:MinimumKubeletVersion] [Serial]", func() { + defer g.GinkgoRecover() + + var ( + nodeImpersonatingClient clientset.Interface + nodeName = "fakenode" + asUser = nodeNamePrefix + nodeName + minimumVersion = "1.30.0" + f = framework.NewDefaultFramework("minimum-kubelet-version") + oc = exutil.NewCLIWithoutNamespace("minimum-kubelet-version") + ) + + g.BeforeEach(func() { + g.DeferCleanup(updateMinimumKubeletVersionAndWait(oc, minimumVersion)) + + ginkgo.By("Creating a kubernetes client that impersonates a node") + config, err := framework.LoadConfig() + framework.ExpectNoError(err, "failed to load kubernetes client config") + config.Impersonate = restclient.ImpersonationConfig{ + UserName: asUser, + Groups: []string{nodesGroup}, + } + nodeImpersonatingClient, err = clientset.NewForConfig(config) + framework.ExpectNoError(err, "failed to create Clientset for the given config: %+v", *config) + }) + + g.It("authorization", func() { + testCases := []minimumKubeletVersionAuthTestCase{ + { + testName: "should be able to list pods if new enough", + kubeletVersion: "v1.30.0", + testFunc: func() { + _, err := nodeImpersonatingClient.CoreV1().Pods(f.Namespace.Name).List(context.Background(), metav1.ListOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + }, + }, + { + testName: "should be able to get node", + kubeletVersion: "v1.29.0", + testFunc: func() { + _, err := nodeImpersonatingClient.CoreV1().Nodes().Get(context.Background(), nodeName, metav1.GetOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + }, + }, + { + testName: "should be able to perform subjectaccessreviews", + kubeletVersion: "v1.29.0", + testFunc: func() { + sar := &authorizationv1.SubjectAccessReview{ + Spec: authorizationv1.SubjectAccessReviewSpec{ + ResourceAttributes: &authorizationv1.ResourceAttributes{ + Verb: "list", + Resource: "configmaps", + Namespace: f.Namespace.Name, + Version: "v1", + }, + User: asUser, + Groups: []string{nodesGroup}, + }, + } + + _, err := nodeImpersonatingClient.AuthorizationV1().SubjectAccessReviews().Create(context.Background(), sar, metav1.CreateOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + }, + }, + { + testName: "should block node from listing pods if too old", + kubeletVersion: "v1.29.0", + testFunc: func() { + _, err := nodeImpersonatingClient.CoreV1().Pods(f.Namespace.Name).List(context.Background(), metav1.ListOptions{}) + o.Expect(err).To(o.HaveOccurred()) + }, + }, + } + // Do this sequentially instead of with a fancier mechanism like g.DescribeTable so we don't + // need to fuss with BeforeSuite/AfterSuite business with rolling out a new apiserver + for _, tc := range testCases { + runMinimumKubeletVersionAuthTest(&tc, nodeName, asUser, nodeImpersonatingClient, f) + } + }) +}) + +// runMinimumKubeletVersionAuthTest runs a test. It's done in a separate function to make cleaning up the created node less messy. +func runMinimumKubeletVersionAuthTest(tc *minimumKubeletVersionAuthTestCase, nodeName, asUser string, nodeImpersonatingClient clientset.Interface, f *framework.Framework) { + framework.Logf("authorization %s", tc.testName) + node := &v1.Node{ + ObjectMeta: metav1.ObjectMeta{Name: nodeName}, + TypeMeta: metav1.TypeMeta{ + Kind: "Node", + APIVersion: "v1", + }, + Status: v1.NodeStatus{ + NodeInfo: v1.NodeSystemInfo{ + KubeletVersion: tc.kubeletVersion, + }, + }, + } + ginkgo.By(fmt.Sprintf("Create node %s by user: %v", nodeName, asUser)) + _, err := nodeImpersonatingClient.CoreV1().Nodes().Create(context.Background(), node, metav1.CreateOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + + // Make a new scope so we are sure to cleanup even if the test function fails + defer func() { + if err := f.ClientSet.CoreV1().Nodes().Delete(context.Background(), node.Name, metav1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { + o.Expect(err).NotTo(o.HaveOccurred()) + } + }() + + tc.testFunc() +} + +func updateMinimumKubeletVersionAndWait(oc *exutil.CLI, version string) func() { + ginkgo.By("Updating minimum kubelet version to " + version) + operatorClient := oc.AdminOperatorClient() + + kasStatus, err := operatorClient.OperatorV1().KubeAPIServers().Get(context.Background(), "cluster", metav1.GetOptions{}) + framework.ExpectNoError(err) + + undoFunc := updateMinimumKubeletVersion(oc, version, false) + + // and wait for it to rollout + waitForAPIServerRollout(kasStatus.Status.LatestAvailableRevision, operatorClient) + return func() { + ginkgo.By("Reverting minimum kubelet version to \"\"") + newKasStatus, err := operatorClient.OperatorV1().KubeAPIServers().Get(context.Background(), "cluster", metav1.GetOptions{}) + framework.ExpectNoError(err) + + undoFunc() + + waitForAPIServerRollout(newKasStatus.Status.LatestAvailableRevision, operatorClient) + } +} + +func updateMinimumKubeletVersion(oc *exutil.CLI, version string, expectedErr bool) func() { + nodesConfigOrig, err := oc.AdminConfigClient().ConfigV1().Nodes().Get(context.Background(), "cluster", metav1.GetOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + + nodesConfig := nodesConfigOrig.DeepCopy() + nodesConfig.Spec.MinimumKubeletVersion = version + _, err = oc.AdminConfigClient().ConfigV1().Nodes().Update(context.Background(), nodesConfig, metav1.UpdateOptions{}) + if expectedErr { + o.Expect(err).To(o.HaveOccurred()) + } else { + o.Expect(err).NotTo(o.HaveOccurred()) + } + return func() { + nodesConfigCurrent, err := oc.AdminConfigClient().ConfigV1().Nodes().Get(context.Background(), "cluster", metav1.GetOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + + nodesConfigCurrent.Spec = *nodesConfigOrig.Spec.DeepCopy() + + _, err = oc.AdminConfigClient().ConfigV1().Nodes().Update(context.Background(), nodesConfigCurrent, metav1.UpdateOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + } +} + +func waitForAPIServerRollout(previousLatestRevision int32, operatorClient operatorv1client.Interface) { + ctx := context.Background() + // separate context so we exit our loop, but it is still possible to use the main context for client calls + shouldEndTestCtx, shouldEndCancelFn := context.WithTimeout(ctx, desiredTestDuration) + defer shouldEndCancelFn() + + errs := []error{} + flakes := []error{} + // ensure the kube-apiserver operator is stable + nextLogTime := time.Now().Add(time.Minute) + for { + // prevent hot loops, the extra delay doesn't really matter + time.Sleep(10 * time.Second) + if shouldEndTestCtx.Err() != nil { + break + } + + // this may actually be flaky if the kube-apiserver is rolling out badly. Keep track of failures so we can + // fail the run, but don't exit the test here. + kasStatus, err := operatorClient.OperatorV1().KubeAPIServers().Get(ctx, "cluster", metav1.GetOptions{}) + if err != nil { + reportedErr := fmt.Errorf("failed reading clusteroperator, time=%v, err=%w", time.Now(), err) + if strings.Contains(err.Error(), "http2: client connection lost") { + flakes = append(flakes, reportedErr) + continue + } + errs = append(errs, reportedErr) + continue + } + + // check to see that every node is at the latest revision + latestRevision := kasStatus.Status.LatestAvailableRevision + if latestRevision <= previousLatestRevision { + framework.Logf("kube-apiserver still has not observed rollout: previousLatestRevision=%d, latestRevision=%d", previousLatestRevision, latestRevision) + continue + } + + nodeNotAtRevisionReasons := []string{} + for _, nodeStatus := range kasStatus.Status.NodeStatuses { + if nodeStatus.CurrentRevision != latestRevision { + nodeNotAtRevisionReasons = append(nodeNotAtRevisionReasons, fmt.Sprintf("node/%v is at revision %d, not %d", nodeStatus.NodeName, nodeStatus.CurrentRevision, latestRevision)) + } + } + if len(nodeNotAtRevisionReasons) == 0 { + break + } + if time.Now().After(nextLogTime) { + framework.Logf("kube-apiserver still not stable after rollout: %v", strings.Join(nodeNotAtRevisionReasons, "; ")) + nextLogTime = time.Now().Add(time.Minute) + } + } + + if len(errs) > 0 { + framework.ExpectNoError(errors.Join(errs...)) + } + if len(flakes) > 0 { + result.Flakef("errors that will eventually be failures: %v", errors.Join(flakes...)) + } +} diff --git a/test/extended/util/annotate/generated/zz_generated.annotations.go b/test/extended/util/annotate/generated/zz_generated.annotations.go index d5b95cc582d0..3fb2c12ef8f1 100644 --- a/test/extended/util/annotate/generated/zz_generated.annotations.go +++ b/test/extended/util/annotate/generated/zz_generated.annotations.go @@ -1679,6 +1679,20 @@ var Annotations = map[string]string{ "[sig-node][Late] should not have pod creation failures due to systemd timeouts": " [Suite:openshift/conformance/parallel]", + "[sig-node][OCPFeatureGate:MinimumKubeletVersion] [Serial] authorization should be able to get node": " [Suite:openshift/conformance/serial]", + + "[sig-node][OCPFeatureGate:MinimumKubeletVersion] [Serial] authorization should be able to list pods if new enough": " [Suite:openshift/conformance/serial]", + + "[sig-node][OCPFeatureGate:MinimumKubeletVersion] [Serial] authorization should be able to perform subjectaccessreviews": " [Suite:openshift/conformance/serial]", + + "[sig-node][OCPFeatureGate:MinimumKubeletVersion] [Serial] authorization should block node from listing pods if too old": " [Suite:openshift/conformance/serial]", + + "[sig-node][OCPFeatureGate:MinimumKubeletVersion] admission admission should allow an empty minimum kubelet version": " [Suite:openshift/conformance/parallel]", + + "[sig-node][OCPFeatureGate:MinimumKubeletVersion] admission admission should allow an old minimum kubelet version": " [Suite:openshift/conformance/parallel]", + + "[sig-node][OCPFeatureGate:MinimumKubeletVersion] admission admission should not allow with a new minimum kubelet version": " [Suite:openshift/conformance/parallel]", + "[sig-node][Suite:openshift/nodes/realtime/latency][Disruptive] Real time kernel should meet latency requirements when tested with cyclictest": " [Serial]", "[sig-node][Suite:openshift/nodes/realtime/latency][Disruptive] Real time kernel should meet latency requirements when tested with hwlatdetect": " [Serial]", diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go index 61386a72e496..2b392298e89f 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go @@ -288,7 +288,7 @@ const ( ) // ClusterVersionCapability enumerates optional, core cluster components. -// +kubebuilder:validation:Enum=openshift-samples;baremetal;marketplace;Console;Insights;Storage;CSISnapshot;NodeTuning;MachineAPI;Build;DeploymentConfig;ImageRegistry;OperatorLifecycleManager;CloudCredential;Ingress;CloudControllerManager +// +kubebuilder:validation:Enum=openshift-samples;baremetal;marketplace;Console;Insights;Storage;CSISnapshot;NodeTuning;MachineAPI;Build;DeploymentConfig;ImageRegistry;OperatorLifecycleManager;CloudCredential;Ingress;CloudControllerManager;OperatorLifecycleManagerV1 type ClusterVersionCapability string const ( @@ -379,10 +379,14 @@ const ( // allows to distribute Docker images ClusterVersionCapabilityImageRegistry ClusterVersionCapability = "ImageRegistry" - // ClusterVersionCapabilityOperatorLifecycleManager manages the Operator Lifecycle Manager + // ClusterVersionCapabilityOperatorLifecycleManager manages the Operator Lifecycle Manager (legacy) // which itself manages the lifecycle of operators ClusterVersionCapabilityOperatorLifecycleManager ClusterVersionCapability = "OperatorLifecycleManager" + // ClusterVersionCapabilityOperatorLifecycleManagerV1 manages the Operator Lifecycle Manager (v1) + // which itself manages the lifecycle of operators + ClusterVersionCapabilityOperatorLifecycleManagerV1 ClusterVersionCapability = "OperatorLifecycleManagerV1" + // ClusterVersionCapabilityCloudCredential manages credentials for cloud providers // in openshift cluster ClusterVersionCapabilityCloudCredential ClusterVersionCapability = "CloudCredential" @@ -422,6 +426,7 @@ var KnownClusterVersionCapabilities = []ClusterVersionCapability{ ClusterVersionCapabilityDeploymentConfig, ClusterVersionCapabilityImageRegistry, ClusterVersionCapabilityOperatorLifecycleManager, + ClusterVersionCapabilityOperatorLifecycleManagerV1, ClusterVersionCapabilityCloudCredential, ClusterVersionCapabilityIngress, ClusterVersionCapabilityCloudControllerManager, @@ -600,6 +605,7 @@ var ClusterVersionCapabilitySets = map[ClusterVersionCapabilitySet][]ClusterVers ClusterVersionCapabilityDeploymentConfig, ClusterVersionCapabilityImageRegistry, ClusterVersionCapabilityOperatorLifecycleManager, + ClusterVersionCapabilityOperatorLifecycleManagerV1, ClusterVersionCapabilityCloudCredential, ClusterVersionCapabilityIngress, ClusterVersionCapabilityCloudControllerManager, @@ -618,6 +624,7 @@ var ClusterVersionCapabilitySets = map[ClusterVersionCapabilitySet][]ClusterVers ClusterVersionCapabilityDeploymentConfig, ClusterVersionCapabilityImageRegistry, ClusterVersionCapabilityOperatorLifecycleManager, + ClusterVersionCapabilityOperatorLifecycleManagerV1, ClusterVersionCapabilityCloudCredential, ClusterVersionCapabilityIngress, ClusterVersionCapabilityCloudControllerManager, @@ -739,6 +746,16 @@ type Update struct { // Release represents an OpenShift release image and associated metadata. // +k8s:deepcopy-gen=true type Release struct { + // architecture is an optional field that indicates the + // value of the cluster architecture. In this context cluster + // architecture means either a single architecture or a multi + // architecture. + // Valid values are 'Multi' and empty. + // + // +openshift:enable:FeatureGate=ImageStreamImportMode + // +optional + Architecture ClusterVersionArchitecture `json:"architecture,omitempty"` + // version is a semantic version identifying the update version. When this // field is part of spec, version is optional if image is specified. // +required diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index 392d128c1117..bc7b85b77a56 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -507,6 +507,20 @@ type AWSPlatformStatus struct { // +listType=atomic // +optional ResourceTags []AWSResourceTag `json:"resourceTags,omitempty"` + + // cloudLoadBalancerConfig holds configuration related to DNS and cloud + // load balancers. It allows configuration of in-cluster DNS as an alternative + // to the platform default DNS implementation. + // When using the ClusterHosted DNS type, Load Balancer IP addresses + // must be provided for the API and internal API load balancers as well as the + // ingress load balancer. + // + // +default={"dnsType": "PlatformDefault"} + // +kubebuilder:default={"dnsType": "PlatformDefault"} + // +openshift:enable:FeatureGate=AWSClusterHostedDNS + // +optional + // +nullable + CloudLoadBalancerConfig *CloudLoadBalancerConfig `json:"cloudLoadBalancerConfig,omitempty"` } // AWSResourceTag is a tag to apply to AWS resources created for the cluster. @@ -647,12 +661,12 @@ type GCPPlatformStatus struct { // Tombstone the field as a reminder. // ClusterHostedDNS ClusterHostedDNS `json:"clusterHostedDNS,omitempty"` - // cloudLoadBalancerConfig is a union that contains the IP addresses of API, - // API-Int and Ingress Load Balancers created on the cloud platform. These - // values would not be populated on on-prem platforms. These Load Balancer - // IPs are used to configure the in-cluster DNS instances for API, API-Int - // and Ingress services. `dnsType` is expected to be set to `ClusterHosted` - // when these Load Balancer IP addresses are populated and used. + // cloudLoadBalancerConfig holds configuration related to DNS and cloud + // load balancers. It allows configuration of in-cluster DNS as an alternative + // to the platform default DNS implementation. + // When using the ClusterHosted DNS type, Load Balancer IP addresses + // must be provided for the API and internal API load balancers as well as the + // ingress load balancer. // // +default={"dnsType": "PlatformDefault"} // +kubebuilder:default={"dnsType": "PlatformDefault"} @@ -1579,7 +1593,7 @@ type PowerVSServiceEndpoint struct { // Power Cloud - https://cloud.ibm.com/apidocs/power-cloud // // +kubebuilder:validation:Required - // +kubebuilder:validation:Pattern=`^[a-z0-9-]+$` + // +kubebuilder:validation:Enum=CIS;COS;COSConfig;DNSServices;GlobalCatalog;GlobalSearch;GlobalTagging;HyperProtect;IAM;KeyProtect;Power;ResourceController;ResourceManager;VPC Name string `json:"name"` // url is fully qualified URI with scheme https, that overrides the default generated @@ -1725,6 +1739,7 @@ type NutanixPlatformSpec struct { // failureDomains configures failure domains information for the Nutanix platform. // When set, the failure domains defined here may be used to spread Machines across // prism element clusters to improve fault tolerance of the cluster. + // +openshift:validation:FeatureGateAwareMaxItems:featureGate=NutanixMultiSubnets,maxItems=32 // +listType=map // +listMapKey=name // +optional @@ -1751,13 +1766,15 @@ type NutanixFailureDomain struct { Cluster NutanixResourceIdentifier `json:"cluster"` // subnets holds a list of identifiers (one or more) of the cluster's network subnets + // If the feature gate NutanixMultiSubnets is enabled, up to 32 subnets may be configured. // for the Machine's VM to connect to. The subnet identifiers (uuid or name) can be // obtained from the Prism Central console or using the prism_central API. // +kubebuilder:validation:Required // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=1 - // +listType=map - // +listMapKey=type + // +openshift:validation:FeatureGateAwareMaxItems:featureGate="",maxItems=1 + // +openshift:validation:FeatureGateAwareMaxItems:featureGate=NutanixMultiSubnets,maxItems=32 + // +openshift:validation:FeatureGateAwareXValidation:featureGate=NutanixMultiSubnets,rule="self.all(x, self.exists_one(y, x == y))",message="each subnet must be unique" + // +listType=atomic Subnets []NutanixResourceIdentifier `json:"subnets"` } diff --git a/vendor/github.com/openshift/api/config/v1/types_node.go b/vendor/github.com/openshift/api/config/v1/types_node.go index b3b1b62c4dfc..a50328c91f6e 100644 --- a/vendor/github.com/openshift/api/config/v1/types_node.go +++ b/vendor/github.com/openshift/api/config/v1/types_node.go @@ -46,6 +46,25 @@ type NodeSpec struct { // the status and corresponding reaction of the cluster // +optional WorkerLatencyProfile WorkerLatencyProfileType `json:"workerLatencyProfile,omitempty"` + + // minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. + // Specifically, the apiserver will deny most authorization requests of kubelets that are older + // than the specified version, only allowing the kubelet to get and update its node object, and perform + // subjectaccessreviews. + // This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, + // and will eventually be marked as not ready. + // Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + // Since the kubelet reports the version of the kubernetes release, not Openshift, this field references + // the underlying kubernetes version this version of Openshift is based off of. + // In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then + // they should set the minimumKubeletVersion to 1.30.0. + // When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. + // Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier. + // +kubebuilder:validation:XValidation:rule="self == \"\" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')",message="minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty" + // +kubebuilder:validation:MaxLength:=8 + // +openshift:enable:FeatureGate=MinimumKubeletVersion + // +optional + MinimumKubeletVersion string `json:"minimumKubeletVersion"` } type NodeStatus struct { diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 069346998473..1b7fa44aad6d 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -245,6 +245,11 @@ func (in *AWSPlatformStatus) DeepCopyInto(out *AWSPlatformStatus) { *out = make([]AWSResourceTag, len(*in)) copy(*out, *in) } + if in.CloudLoadBalancerConfig != nil { + in, out := &in.CloudLoadBalancerConfig, &out.CloudLoadBalancerConfig + *out = new(CloudLoadBalancerConfig) + (*in).DeepCopyInto(*out) + } return } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index fa5dd4e31d3e..c1a8bd1ffeac 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -115,6 +115,7 @@ clusterversions.config.openshift.io: Capability: "" Category: "" FeatureGates: + - ImageStreamImportMode - SignatureStores FilenameOperatorName: cluster-version-operator FilenameOperatorOrdering: "01" @@ -310,9 +311,11 @@ infrastructures.config.openshift.io: Capability: "" Category: "" FeatureGates: + - AWSClusterHostedDNS - BareMetalLoadBalancer - GCPClusterHostedDNS - GCPLabelsTags + - NutanixMultiSubnets - VSphereControlPlaneMachineSet - VSphereMultiNetworks - VSphereMultiVCenters @@ -382,7 +385,8 @@ nodes.config.openshift.io: CRDName: nodes.config.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - MinimumKubeletVersion FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index c580bd8342e4..144f155a8451 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -772,11 +772,12 @@ func (PromQLClusterCondition) SwaggerDoc() map[string]string { } var map_Release = map[string]string{ - "": "Release represents an OpenShift release image and associated metadata.", - "version": "version is a semantic version identifying the update version. When this field is part of spec, version is optional if image is specified.", - "image": "image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version.", - "url": "url contains information about this release. This URL is set by the 'url' metadata property on a release or the metadata returned by the update API and should be displayed as a link in user interfaces. The URL field may not be set for test or nightly releases.", - "channels": "channels is the set of Cincinnati channels to which the release currently belongs.", + "": "Release represents an OpenShift release image and associated metadata.", + "architecture": "architecture is an optional field that indicates the value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. Valid values are 'Multi' and empty.", + "version": "version is a semantic version identifying the update version. When this field is part of spec, version is optional if image is specified.", + "image": "image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version.", + "url": "url contains information about this release. This URL is set by the 'url' metadata property on a release or the metadata returned by the update API and should be displayed as a link in user interfaces. The URL field may not be set for test or nightly releases.", + "channels": "channels is the set of Cincinnati channels to which the release currently belongs.", } func (Release) SwaggerDoc() map[string]string { @@ -1184,10 +1185,11 @@ func (AWSPlatformSpec) SwaggerDoc() map[string]string { } var map_AWSPlatformStatus = map[string]string{ - "": "AWSPlatformStatus holds the current status of the Amazon Web Services infrastructure provider.", - "region": "region holds the default AWS region for new AWS resources created by the cluster.", - "serviceEndpoints": "ServiceEndpoints list contains custom endpoints which will override default service endpoint of AWS Services. There must be only one ServiceEndpoint for a service.", - "resourceTags": "resourceTags is a list of additional tags to apply to AWS resources created for the cluster. See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for information on tagging AWS resources. AWS supports a maximum of 50 tags per resource. OpenShift reserves 25 tags for its use, leaving 25 tags available for the user.", + "": "AWSPlatformStatus holds the current status of the Amazon Web Services infrastructure provider.", + "region": "region holds the default AWS region for new AWS resources created by the cluster.", + "serviceEndpoints": "ServiceEndpoints list contains custom endpoints which will override default service endpoint of AWS Services. There must be only one ServiceEndpoint for a service.", + "resourceTags": "resourceTags is a list of additional tags to apply to AWS resources created for the cluster. See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for information on tagging AWS resources. AWS supports a maximum of 50 tags per resource. OpenShift reserves 25 tags for its use, leaving 25 tags available for the user.", + "cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", } func (AWSPlatformStatus) SwaggerDoc() map[string]string { @@ -1389,7 +1391,7 @@ var map_GCPPlatformStatus = map[string]string{ "region": "region holds the region for new GCP resources created for the cluster.", "resourceLabels": "resourceLabels is a list of additional labels to apply to GCP resources created for the cluster. See https://cloud.google.com/compute/docs/labeling-resources for information on labeling GCP resources. GCP supports a maximum of 64 labels per resource. OpenShift reserves 32 labels for internal use, allowing 32 labels for user configuration.", "resourceTags": "resourceTags is a list of additional tags to apply to GCP resources created for the cluster. See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on tagging GCP resources. GCP supports a maximum of 50 tags per resource.", - "cloudLoadBalancerConfig": "cloudLoadBalancerConfig is a union that contains the IP addresses of API, API-Int and Ingress Load Balancers created on the cloud platform. These values would not be populated on on-prem platforms. These Load Balancer IPs are used to configure the in-cluster DNS instances for API, API-Int and Ingress services. `dnsType` is expected to be set to `ClusterHosted` when these Load Balancer IP addresses are populated and used.", + "cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", } func (GCPPlatformStatus) SwaggerDoc() map[string]string { @@ -1518,7 +1520,7 @@ var map_NutanixFailureDomain = map[string]string{ "": "NutanixFailureDomain configures failure domain information for the Nutanix platform.", "name": "name defines the unique name of a failure domain. Name is required and must be at most 64 characters in length. It must consist of only lower case alphanumeric characters and hyphens (-). It must start and end with an alphanumeric character. This value is arbitrary and is used to identify the failure domain within the platform.", "cluster": "cluster is to identify the cluster (the Prism Element under management of the Prism Central), in which the Machine's VM will be created. The cluster identifier (uuid or name) can be obtained from the Prism Central console or using the prism_central API.", - "subnets": "subnets holds a list of identifiers (one or more) of the cluster's network subnets for the Machine's VM to connect to. The subnet identifiers (uuid or name) can be obtained from the Prism Central console or using the prism_central API.", + "subnets": "subnets holds a list of identifiers (one or more) of the cluster's network subnets If the feature gate NutanixMultiSubnets is enabled, up to 32 subnets may be configured. for the Machine's VM to connect to. The subnet identifiers (uuid or name) can be obtained from the Prism Central console or using the prism_central API.", } func (NutanixFailureDomain) SwaggerDoc() map[string]string { @@ -2087,8 +2089,9 @@ func (NodeList) SwaggerDoc() map[string]string { } var map_NodeSpec = map[string]string{ - "cgroupMode": "CgroupMode determines the cgroups version on the node", - "workerLatencyProfile": "WorkerLatencyProfile determins the how fast the kubelet is updating the status and corresponding reaction of the cluster", + "cgroupMode": "CgroupMode determines the cgroups version on the node", + "workerLatencyProfile": "WorkerLatencyProfile determins the how fast the kubelet is updating the status and corresponding reaction of the cluster", + "minimumKubeletVersion": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", } func (NodeSpec) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go index e3670f03e899..14650fd48f4e 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go @@ -41,6 +41,7 @@ type ClusterImagePolicySpec struct { // If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. // In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories // quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + // If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. // For additional details about the format, please refer to the document explaining the docker transport field, // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker // +kubebuilder:validation:Required diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go index 7031110ff1ea..a177ddb0d66b 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go @@ -40,6 +40,7 @@ type ImagePolicySpec struct { // If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. // In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories // quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + // If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. // For additional details about the format, please refer to the document explaining the docker transport field, // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker // +kubebuilder:validation:Required diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index 9da086efc56f..55468f38dac6 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -102,7 +102,7 @@ func (ClusterImagePolicyList) SwaggerDoc() map[string]string { var map_ClusterImagePolicySpec = map[string]string{ "": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", - "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", "policy": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", } @@ -151,7 +151,7 @@ func (ImagePolicyList) SwaggerDoc() map[string]string { var map_ImagePolicySpec = map[string]string{ "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", - "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", "policy": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", } diff --git a/vendor/github.com/openshift/api/console/v1/types_console_plugin.go b/vendor/github.com/openshift/api/console/v1/types_console_plugin.go index 24954687d530..534a41ca761a 100644 --- a/vendor/github.com/openshift/api/console/v1/types_console_plugin.go +++ b/vendor/github.com/openshift/api/console/v1/types_console_plugin.go @@ -43,11 +43,137 @@ type ConsolePluginSpec struct { Backend ConsolePluginBackend `json:"backend"` // proxy is a list of proxies that describe various service type // to which the plugin needs to connect to. + // +listType=atomic // +optional Proxy []ConsolePluginProxy `json:"proxy,omitempty"` // i18n is the configuration of plugin's localization resources. // +optional I18n ConsolePluginI18n `json:"i18n"` + // contentSecurityPolicy is a list of Content-Security-Policy (CSP) directives for the plugin. + // Each directive specifies a list of values, appropriate for the given directive type, + // for example a list of remote endpoints for fetch directives such as ScriptSrc. + // Console web application uses CSP to detect and mitigate certain types of attacks, + // such as cross-site scripting (XSS) and data injection attacks. + // Dynamic plugins should specify this field if need to load assets from outside + // the cluster or if violation reports are observed. Dynamic plugins should always prefer + // loading their assets from within the cluster, either by vendoring them, or fetching + // from a cluster service. + // CSP violation reports can be viewed in the browser's console logs during development and + // testing of the plugin in the OpenShift web console. + // Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc and FontSrc. + // Each of the available directives may be defined only once in the list. + // The value 'self' is automatically included in all fetch directives by the OpenShift web + // console's backend. + // For more information about the CSP directives, see: + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + // + // The OpenShift web console server aggregates the CSP directives and values across + // its own default values and all enabled ConsolePlugin CRs, merging them into a single + // policy string that is sent to the browser via `Content-Security-Policy` HTTP response header. + // + // Example: + // ConsolePlugin A directives: + // script-src: https://script1.com/, https://script2.com/ + // font-src: https://font1.com/ + // + // ConsolePlugin B directives: + // script-src: https://script2.com/, https://script3.com/ + // font-src: https://font2.com/ + // img-src: https://img1.com/ + // + // Unified set of CSP directives, passed to the OpenShift web console server: + // script-src: https://script1.com/, https://script2.com/, https://script3.com/ + // font-src: https://font1.com/, https://font2.com/ + // img-src: https://img1.com/ + // + // OpenShift web console server CSP response header: + // Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self' https://script1.com/ https://script2.com/ https://script3.com/; font-src 'self' https://font1.com/ https://font2.com/; img-src 'self' https://img1.com/; style-src 'self'; frame-src 'none'; object-src 'none' + // + // +openshift:enable:FeatureGate=ConsolePluginContentSecurityPolicy + // +kubebuilder:validation:MaxItems=5 + // +kubebuilder:validation:XValidation:rule="self.map(x, x.values.map(y, y.size()).sum()).sum() < 8192",message="the total combined size of values of all directives must not exceed 8192 (8kb)" + // +listType=map + // +listMapKey=directive + // +optional + ContentSecurityPolicy []ConsolePluginCSP `json:"contentSecurityPolicy"` +} + +// DirectiveType is an enumeration of OpenShift web console supported CSP directives. +// LoadType is an enumeration of i18n loading types. +// +kubebuilder:validation:Enum:="DefaultSrc";"ScriptSrc";"StyleSrc";"ImgSrc";"FontSrc" +// +enum +type DirectiveType string + +const ( + // DefaultSrc directive serves as a fallback for the other CSP fetch directives. + // For more information about the DefaultSrc directive, see: + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src + DefaultSrc DirectiveType = "DefaultSrc" + // ScriptSrc directive specifies valid sources for JavaScript. + // For more information about the ScriptSrc directive, see: + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src + ScriptSrc DirectiveType = "ScriptSrc" + // StyleSrc directive specifies valid sources for stylesheets. + // For more information about the StyleSrc directive, see: + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src + StyleSrc DirectiveType = "StyleSrc" + // ImgSrc directive specifies a valid sources of images and favicons. + // For more information about the ImgSrc directive, see: + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src + ImgSrc DirectiveType = "ImgSrc" + // FontSrc directive specifies valid sources for fonts loaded using @font-face. + // For more information about the FontSrcdirective, see: + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src + FontSrc DirectiveType = "FontSrc" +) + +// CSPDirectiveValue is single value for a Content-Security-Policy directive. +// Each directive value must have a maximum length of 1024 characters and must not contain +// whitespace, commas (,), semicolons (;) or single quotes ('). The value '*' is not permitted. +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=1024 +// +kubebuilder:validation:XValidation:rule="!self.contains(\"'\")",message="CSP directive value cannot contain a quote" +// +kubebuilder:validation:XValidation:rule="!self.matches('\\\\s')",message="CSP directive value cannot contain a whitespace" +// +kubebuilder:validation:XValidation:rule="!self.contains(',')",message="CSP directive value cannot contain a comma" +// +kubebuilder:validation:XValidation:rule="!self.contains(';')",message="CSP directive value cannot contain a semi-colon" +// +kubebuilder:validation:XValidation:rule="self != '*'",message="CSP directive value cannot be a wildcard" +type CSPDirectiveValue string + +// ConsolePluginCSP holds configuration for a specific CSP directive +type ConsolePluginCSP struct { + // directive specifies which Content-Security-Policy directive to configure. + // Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc and FontSrc. + // DefaultSrc directive serves as a fallback for the other CSP fetch directives. + // For more information about the DefaultSrc directive, see: + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src + // ScriptSrc directive specifies valid sources for JavaScript. + // For more information about the ScriptSrc directive, see: + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src + // StyleSrc directive specifies valid sources for stylesheets. + // For more information about the StyleSrc directive, see: + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src + // ImgSrc directive specifies a valid sources of images and favicons. + // For more information about the ImgSrc directive, see: + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src + // FontSrc directive specifies valid sources for fonts loaded using @font-face. + // For more information about the FontSrc directive, see: + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src + // +kubebuilder:validation:Required + Directive DirectiveType `json:"directive"` + // values defines an array of values to append to the console defaults for this directive. + // Each ConsolePlugin may define their own directives with their values. These will be set + // by the OpenShift web console's backend, as part of its Content-Security-Policy header. + // The array can contain at most 16 values. Each directive value must have a maximum length + // of 1024 characters and must not contain whitespace, commas (,), semicolons (;) or single + // quotes ('). The value '*' is not permitted. + // Each value in the array must be unique. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + // +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x == y))",message="each CSP directive value must be unique" + // +listType=atomic + Values []CSPDirectiveValue `json:"values"` } // LoadType is an enumeration of i18n loading types diff --git a/vendor/github.com/openshift/api/console/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/console/v1/zz_generated.deepcopy.go index b7cd66da0cbb..d4fefaa37c25 100644 --- a/vendor/github.com/openshift/api/console/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/console/v1/zz_generated.deepcopy.go @@ -416,6 +416,27 @@ func (in *ConsolePluginBackend) DeepCopy() *ConsolePluginBackend { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ConsolePluginCSP) DeepCopyInto(out *ConsolePluginCSP) { + *out = *in + if in.Values != nil { + in, out := &in.Values, &out.Values + *out = make([]CSPDirectiveValue, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConsolePluginCSP. +func (in *ConsolePluginCSP) DeepCopy() *ConsolePluginCSP { + if in == nil { + return nil + } + out := new(ConsolePluginCSP) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ConsolePluginI18n) DeepCopyInto(out *ConsolePluginI18n) { *out = *in @@ -547,6 +568,13 @@ func (in *ConsolePluginSpec) DeepCopyInto(out *ConsolePluginSpec) { } } out.I18n = in.I18n + if in.ContentSecurityPolicy != nil { + in, out := &in.ContentSecurityPolicy, &out.ContentSecurityPolicy + *out = make([]ConsolePluginCSP, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml index 98abc7147b9f..250f873a0924 100644 --- a/vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml @@ -137,7 +137,8 @@ consoleplugins.console.openshift.io: CRDName: consoleplugins.console.openshift.io Capability: Console Category: "" - FeatureGates: [] + FeatureGates: + - ConsolePluginContentSecurityPolicy FilenameOperatorName: "" FilenameOperatorOrdering: "90" FilenameRunLevel: "" diff --git a/vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go index c6f2070fa4a1..685cb7ea276b 100644 --- a/vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go @@ -187,6 +187,16 @@ func (ConsolePluginBackend) SwaggerDoc() map[string]string { return map_ConsolePluginBackend } +var map_ConsolePluginCSP = map[string]string{ + "": "ConsolePluginCSP holds configuration for a specific CSP directive", + "directive": "directive specifies which Content-Security-Policy directive to configure. Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc and FontSrc. DefaultSrc directive serves as a fallback for the other CSP fetch directives. For more information about the DefaultSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src ScriptSrc directive specifies valid sources for JavaScript. For more information about the ScriptSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src StyleSrc directive specifies valid sources for stylesheets. For more information about the StyleSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src ImgSrc directive specifies a valid sources of images and favicons. For more information about the ImgSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src FontSrc directive specifies valid sources for fonts loaded using @font-face. For more information about the FontSrc directive, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src", + "values": "values defines an array of values to append to the console defaults for this directive. Each ConsolePlugin may define their own directives with their values. These will be set by the OpenShift web console's backend, as part of its Content-Security-Policy header. The array can contain at most 16 values. Each directive value must have a maximum length of 1024 characters and must not contain whitespace, commas (,), semicolons (;) or single quotes ('). The value '*' is not permitted. Each value in the array must be unique.", +} + +func (ConsolePluginCSP) SwaggerDoc() map[string]string { + return map_ConsolePluginCSP +} + var map_ConsolePluginI18n = map[string]string{ "": "ConsolePluginI18n holds information on localization resources that are served by the dynamic plugin.", "loadType": "loadType indicates how the plugin's localization resource should be loaded. Valid values are Preload, Lazy and the empty string. When set to Preload, all localization resources are fetched when the plugin is loaded. When set to Lazy, localization resources are lazily loaded as and when they are required by the console. When omitted or set to the empty string, the behaviour is equivalent to Lazy type.", @@ -251,11 +261,12 @@ func (ConsolePluginService) SwaggerDoc() map[string]string { } var map_ConsolePluginSpec = map[string]string{ - "": "ConsolePluginSpec is the desired plugin configuration.", - "displayName": "displayName is the display name of the plugin. The dispalyName should be between 1 and 128 characters.", - "backend": "backend holds the configuration of backend which is serving console's plugin .", - "proxy": "proxy is a list of proxies that describe various service type to which the plugin needs to connect to.", - "i18n": "i18n is the configuration of plugin's localization resources.", + "": "ConsolePluginSpec is the desired plugin configuration.", + "displayName": "displayName is the display name of the plugin. The dispalyName should be between 1 and 128 characters.", + "backend": "backend holds the configuration of backend which is serving console's plugin .", + "proxy": "proxy is a list of proxies that describe various service type to which the plugin needs to connect to.", + "i18n": "i18n is the configuration of plugin's localization resources.", + "contentSecurityPolicy": "contentSecurityPolicy is a list of Content-Security-Policy (CSP) directives for the plugin. Each directive specifies a list of values, appropriate for the given directive type, for example a list of remote endpoints for fetch directives such as ScriptSrc. Console web application uses CSP to detect and mitigate certain types of attacks, such as cross-site scripting (XSS) and data injection attacks. Dynamic plugins should specify this field if need to load assets from outside the cluster or if violation reports are observed. Dynamic plugins should always prefer loading their assets from within the cluster, either by vendoring them, or fetching from a cluster service. CSP violation reports can be viewed in the browser's console logs during development and testing of the plugin in the OpenShift web console. Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc and FontSrc. Each of the available directives may be defined only once in the list. The value 'self' is automatically included in all fetch directives by the OpenShift web console's backend. For more information about the CSP directives, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n\nThe OpenShift web console server aggregates the CSP directives and values across its own default values and all enabled ConsolePlugin CRs, merging them into a single policy string that is sent to the browser via `Content-Security-Policy` HTTP response header.\n\nExample:\n ConsolePlugin A directives:\n script-src: https://script1.com/, https://script2.com/\n font-src: https://font1.com/\n\n ConsolePlugin B directives:\n script-src: https://script2.com/, https://script3.com/\n font-src: https://font2.com/\n img-src: https://img1.com/\n\n Unified set of CSP directives, passed to the OpenShift web console server:\n script-src: https://script1.com/, https://script2.com/, https://script3.com/\n font-src: https://font1.com/, https://font2.com/\n img-src: https://img1.com/\n\n OpenShift web console server CSP response header:\n Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self' https://script1.com/ https://script2.com/ https://script3.com/; font-src 'self' https://font1.com/ https://font2.com/; img-src 'self' https://img1.com/; style-src 'self'; frame-src 'none'; object-src 'none'", } func (ConsolePluginSpec) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/envtest-releases.yaml b/vendor/github.com/openshift/api/envtest-releases.yaml index fa789b18cea2..a0e3f0ebdffc 100644 --- a/vendor/github.com/openshift/api/envtest-releases.yaml +++ b/vendor/github.com/openshift/api/envtest-releases.yaml @@ -12,3 +12,29 @@ releases: envtest-v1.30.3-linux-arm64.tar.gz: hash: deb395d5e9578a58786c42b4e7d878b4aef984ac2dce510031fbecf12092162a4aee1cde774f1527cfae90f6885382dc7b3d79ec379b7f4160c3a35fad7cbc3b selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.30.3-linux-arm64.tar.gz + v1.31.1: + envtest-v1.31.1-darwin-amd64.tar.gz: + hash: c884c6a9751f12f57ede0dc3d8dfffdb0f60f7111d6d01ca0693b66d663dfbd37c21ab6a9e571d1a6f649ed7db54b04b069ab0aff6366b2db2f5d3d8ba84a296 + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.31.1-darwin-amd64.tar.gz + envtest-v1.31.1-darwin-arm64.tar.gz: + hash: c760be21c579a516cad8fbafd0f202229f5e074da1869958b84ae8dca295ffb33eb6fd4fd0b66349c31c4adff1561e7dd188137885e3661e34c0a14e12ada20e + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.31.1-darwin-arm64.tar.gz + envtest-v1.31.1-linux-amd64.tar.gz: + hash: a683fad736249b681d50c40715068ecb64f3ef22a85f29387eb61435c36dfe0cebf0bc7e109e237071cd856bc0e37d79a732309fd8d0b16fba6e019cf5c6e8b6 + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.31.1-linux-amd64.tar.gz + envtest-v1.31.1-linux-arm64.tar.gz: + hash: 86fa42c6a3d92e438e35d6066587d0e4f36b910885e10520868959ece2fe740d99abc735f69d6ebe8920291f70d3819b169ad5ddd2db805f8f56a3b83eee3893 + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.31.1-linux-arm64.tar.gz + v1.31.2: + envtest-v1.31.2-darwin-amd64.tar.gz: + hash: 4356c4495be7adc311868569bd69c5c17bfdabc243db3c656ac598be87698647e59d030a5f3c659b5ee0084bb0a9d33ea1faa2f5abfe0d762ec3368877cfd17f + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.31.2-darwin-amd64.tar.gz + envtest-v1.31.2-darwin-arm64.tar.gz: + hash: e1a759927343dfbbdff2909b7ea0046eb5c6840aea763b8d5d8229931fa35dcdcd5659fdace7a4eab1e41bc0b04c683aa96508f26aa38b3b5d3945799cb02324 + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.31.2-darwin-arm64.tar.gz + envtest-v1.31.2-linux-amd64.tar.gz: + hash: c9efa849326afc471aff9ee17109491fe3e4d6d76b6d24e6ee8787ef44776abdc57ce6e96f013abf86c91d4ee94660e617a1623d9a71dd95238b6b6bd800aef7 + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.31.2-linux-amd64.tar.gz + envtest-v1.31.2-linux-arm64.tar.gz: + hash: f6ad42b701537ddfd6873e9700f8e73927763878eaf36a5437d71fb62bffda91ce7f502e13f9ef4b508d37973ccddd3d847eba0d7150f7acb5495fd82558fbad + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.31.2-linux-arm64.tar.gz diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md index e668fc88b366..514d0c116dad 100644 --- a/vendor/github.com/openshift/api/features.md +++ b/vendor/github.com/openshift/api/features.md @@ -6,31 +6,36 @@ | MachineAPIMigration| | | | | | | | MachineAPIOperatorDisableMachineHealthCheckController| | | | | | | | MultiArchInstallAzure| | | | | | | +| ResilientWatchCacheInitialization| | | | | | | | GatewayAPI| | | Enabled | Enabled | | | +| NewOLM| | Enabled | | Enabled | | Enabled | +| AWSClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | | AdditionalRoutingCapabilities| | | Enabled | Enabled | Enabled | Enabled | | AutomatedEtcdBackup| | | Enabled | Enabled | Enabled | Enabled | | BootcNodeManagement| | | Enabled | Enabled | Enabled | Enabled | -| CSIDriverSharedResource| | | Enabled | Enabled | Enabled | Enabled | +| CMPSMachineNamePrefix| | | Enabled | Enabled | Enabled | Enabled | | ClusterMonitoringConfig| | | Enabled | Enabled | Enabled | Enabled | +| ConsolePluginContentSecurityPolicy| | | Enabled | Enabled | Enabled | Enabled | | DNSNameResolver| | | Enabled | Enabled | Enabled | Enabled | | DynamicResourceAllocation| | | Enabled | Enabled | Enabled | Enabled | | EtcdBackendQuota| | | Enabled | Enabled | Enabled | Enabled | | Example| | | Enabled | Enabled | Enabled | Enabled | | GCPClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | | ImageStreamImportMode| | | Enabled | Enabled | Enabled | Enabled | +| IngressControllerDynamicConfigurationManager| | | Enabled | Enabled | Enabled | Enabled | | InsightsConfig| | | Enabled | Enabled | Enabled | Enabled | | InsightsConfigAPI| | | Enabled | Enabled | Enabled | Enabled | | InsightsOnDemandDataGather| | | Enabled | Enabled | Enabled | Enabled | | InsightsRuntimeExtractor| | | Enabled | Enabled | Enabled | Enabled | | MachineAPIProviderOpenStack| | | Enabled | Enabled | Enabled | Enabled | | MachineConfigNodes| | | Enabled | Enabled | Enabled | Enabled | -| ManagedBootImagesAWS| | | Enabled | Enabled | Enabled | Enabled | | MaxUnavailableStatefulSet| | | Enabled | Enabled | Enabled | Enabled | | MetricsCollectionProfiles| | | Enabled | Enabled | Enabled | Enabled | +| MinimumKubeletVersion| | | Enabled | Enabled | Enabled | Enabled | | MixedCPUsAllocation| | | Enabled | Enabled | Enabled | Enabled | | NetworkSegmentation| | | Enabled | Enabled | Enabled | Enabled | -| NewOLM| | | Enabled | Enabled | Enabled | Enabled | | NodeSwap| | | Enabled | Enabled | Enabled | Enabled | +| NutanixMultiSubnets| | | Enabled | Enabled | Enabled | Enabled | | OVNObservability| | | Enabled | Enabled | Enabled | Enabled | | OnClusterBuild| | | Enabled | Enabled | Enabled | Enabled | | PersistentIPsForVirtualization| | | Enabled | Enabled | Enabled | Enabled | @@ -47,7 +52,7 @@ | UserNamespacesPodSecurityStandards| | | Enabled | Enabled | Enabled | Enabled | | UserNamespacesSupport| | | Enabled | Enabled | Enabled | Enabled | | VSphereMultiNetworks| | | Enabled | Enabled | Enabled | Enabled | -| VSphereMultiVCenters| | | Enabled | Enabled | Enabled | Enabled | +| VolumeAttributesClass| | | Enabled | Enabled | Enabled | Enabled | | VolumeGroupSnapshot| | | Enabled | Enabled | Enabled | Enabled | | ExternalOIDC| Enabled | | Enabled | Enabled | Enabled | Enabled | | AWSEFSDriverVolumeMetrics| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | @@ -64,7 +69,7 @@ | IngressControllerLBSubnetsAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | KMSv1| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ManagedBootImages| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| MetricsServer| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| ManagedBootImagesAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | MultiArchInstallAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | MultiArchInstallGCP| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | NetworkDiagnosticsConfig| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | @@ -75,5 +80,6 @@ | SetEIPForNLBIngressController| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | VSphereControlPlaneMachineSet| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | VSphereDriverConfiguration| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| VSphereMultiVCenters| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | VSphereStaticIPs| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ValidatingAdmissionPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index 7f4962395432..7b8da5a3179e 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -36,10 +36,19 @@ func AllFeatureSets() map[ClusterProfileName]map[configv1.FeatureSet]*FeatureGat var ( allFeatureGates = map[ClusterProfileName]map[configv1.FeatureSet]*FeatureGateEnabledDisabled{} + FeatureGateConsolePluginCSP = newFeatureGate("ConsolePluginContentSecurityPolicy"). + reportProblemsToJiraComponent("Management Console"). + contactPerson("jhadvig"). + productScope(ocpSpecific). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enhancementPR("https://github.com/openshift/enhancements/pull/1706"). + mustRegister() + FeatureGateServiceAccountTokenNodeBinding = newFeatureGate("ServiceAccountTokenNodeBinding"). reportProblemsToJiraComponent("apiserver-auth"). contactPerson("stlaz"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4193"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -47,6 +56,7 @@ var ( reportProblemsToJiraComponent("kube-apiserver"). contactPerson("benluddy"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/3488"). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -54,6 +64,7 @@ var ( reportProblemsToJiraComponent("Routing"). contactPerson("miciah"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade). mustRegister() @@ -61,6 +72,7 @@ var ( reportProblemsToJiraComponent("Networking / router"). contactPerson("miheer"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -68,20 +80,15 @@ var ( reportProblemsToJiraComponent("auth"). contactPerson("ibihim"). productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/899"). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateCSIDriverSharedResource = newFeatureGate("CSIDriverSharedResource"). - reportProblemsToJiraComponent("builds"). - contactPerson("adkaplan"). - productScope(ocpSpecific). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateBuildCSIVolumes = newFeatureGate("BuildCSIVolumes"). reportProblemsToJiraComponent("builds"). contactPerson("adkaplan"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -89,6 +96,7 @@ var ( reportProblemsToJiraComponent("node"). contactPerson("ehashman"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/2400"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -96,6 +104,7 @@ var ( reportProblemsToJiraComponent("openstack"). contactPerson("egarcia"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -103,6 +112,7 @@ var ( reportProblemsToJiraComponent("insights"). contactPerson("tremes"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -110,6 +120,7 @@ var ( reportProblemsToJiraComponent("insights"). contactPerson("jmesnil"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -117,6 +128,7 @@ var ( reportProblemsToJiraComponent("scheduling"). contactPerson("jchaloup"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4381"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -124,6 +136,7 @@ var ( reportProblemsToJiraComponent("cloud-credential-operator"). contactPerson("abutcher"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -131,6 +144,7 @@ var ( reportProblemsToJiraComponent("apps"). contactPerson("atiratree"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/961"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -138,12 +152,14 @@ var ( reportProblemsToJiraComponent("node"). contactPerson("sairameshv"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/3386"). mustRegister() FeatureGatePrivateHostedZoneAWS = newFeatureGate("PrivateHostedZoneAWS"). reportProblemsToJiraComponent("Routing"). contactPerson("miciah"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -151,6 +167,7 @@ var ( reportProblemsToJiraComponent("node"). contactPerson("sgrunert"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -158,6 +175,7 @@ var ( reportProblemsToJiraComponent("Installer"). contactPerson("bhb"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -165,6 +183,7 @@ var ( reportProblemsToJiraComponent("cloud-provider"). contactPerson("jspeed"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -172,6 +191,7 @@ var ( reportProblemsToJiraComponent("machine-config-operator/platform-baremetal"). contactPerson("mkowalsk"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/3705"). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -179,13 +199,15 @@ var ( reportProblemsToJiraComponent("splat"). contactPerson("vr4manta"). productScope(ocpSpecific). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateVSphereStaticIPs = newFeatureGate("VSphereStaticIPs"). reportProblemsToJiraComponent("splat"). contactPerson("rvanderp3"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -193,6 +215,15 @@ var ( reportProblemsToJiraComponent("router"). contactPerson("thejasn"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateCMPSMachineNamePrefix = newFeatureGate("CMPSMachineNamePrefix"). + reportProblemsToJiraComponent("Cloud Compute / ControlPlaneMachineSet"). + contactPerson("chiragkyal"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1714"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -200,6 +231,7 @@ var ( reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("tssurya"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -207,6 +239,7 @@ var ( reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("tssurya"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -214,6 +247,7 @@ var ( reportProblemsToJiraComponent("Networking/cluster-network-operator"). contactPerson("jcaamano"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -221,6 +255,7 @@ var ( reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("jcaamano"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -228,6 +263,7 @@ var ( reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("pliu"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -235,6 +271,7 @@ var ( reportProblemsToJiraComponent("Networking/cluster-network-operator"). contactPerson("kyrtapz"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -242,6 +279,7 @@ var ( reportProblemsToJiraComponent("Networking"). contactPerson("npinaeva"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -249,6 +287,7 @@ var ( reportProblemsToJiraComponent("etcd"). contactPerson("hasbro17"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -256,6 +295,7 @@ var ( reportProblemsToJiraComponent("etcd"). contactPerson("hasbro17"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -263,6 +303,7 @@ var ( reportProblemsToJiraComponent("etcd"). contactPerson("hasbro17"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -270,12 +311,14 @@ var ( reportProblemsToJiraComponent("ecoproject"). contactPerson("msluiter"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() FeatureGateDNSNameResolver = newFeatureGate("DNSNameResolver"). reportProblemsToJiraComponent("dns"). contactPerson("miciah"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -283,6 +326,7 @@ var ( reportProblemsToJiraComponent("splat"). contactPerson("rvanderp3"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -290,6 +334,7 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("cdoern"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -297,19 +342,22 @@ var ( reportProblemsToJiraComponent("Installer"). contactPerson("vincepri"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() - FeatureGateMetricsServer = newFeatureGate("MetricsServer"). - reportProblemsToJiraComponent("Monitoring"). - contactPerson("slashpai"). + FeatureGateGCPClusterHostedDNS = newFeatureGate("GCPClusterHostedDNS"). + reportProblemsToJiraComponent("Installer"). + contactPerson("barbacbd"). productScope(ocpSpecific). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateGCPClusterHostedDNS = newFeatureGate("GCPClusterHostedDNS"). + FeatureGateAWSClusterHostedDNS = newFeatureGate("AWSClusterHostedDNS"). reportProblemsToJiraComponent("Installer"). contactPerson("barbacbd"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -317,6 +365,7 @@ var ( reportProblemsToJiraComponent("NodeTuningOperator"). contactPerson("titzhak"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -324,6 +373,7 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("djoshy"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -331,13 +381,15 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("djoshy"). productScope(ocpSpecific). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateDisableKubeletCloudCredentialProviders = newFeatureGate("DisableKubeletCloudCredentialProviders"). reportProblemsToJiraComponent("cloud-provider"). contactPerson("jspeed"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/2395"). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -345,6 +397,7 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("dkhater"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -352,6 +405,7 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("inesqyx"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -359,6 +413,7 @@ var ( reportProblemsToJiraComponent("Cluster Version Operator"). contactPerson("lmohanty"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -366,6 +421,7 @@ var ( reportProblemsToJiraComponent("kube-apiserver"). contactPerson("dgrisonnet"). productScope(kubernetes). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -373,6 +429,7 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("jhernand"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -380,6 +437,7 @@ var ( reportProblemsToJiraComponent("Cluster Version Operator"). contactPerson("pmuller"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -387,13 +445,23 @@ var ( reportProblemsToJiraComponent("kube-apiserver"). contactPerson("akashem"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4006"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateVolumeAttributesClass = newFeatureGate("VolumeAttributesClass"). + reportProblemsToJiraComponent("Storage / Kubernetes External Components"). + contactPerson("dfajmon"). + productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/3751"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateVolumeGroupSnapshot = newFeatureGate("VolumeGroupSnapshot"). reportProblemsToJiraComponent("Storage / Kubernetes External Components"). contactPerson("fbertina"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/3476"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -401,6 +469,7 @@ var ( reportProblemsToJiraComponent("authentication"). contactPerson("liouk"). productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1596"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). enableForClusterProfile(Hypershift, configv1.Default, configv1.TechPreviewNoUpgrade). mustRegister() @@ -409,6 +478,7 @@ var ( reportProblemsToJiraComponent("cluster-config"). contactPerson("deads"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -416,6 +486,7 @@ var ( reportProblemsToJiraComponent("olm"). contactPerson("joe"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -423,13 +494,15 @@ var ( reportProblemsToJiraComponent("olm"). contactPerson("joe"). productScope(ocpSpecific). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateInsightsOnDemandDataGather = newFeatureGate("InsightsOnDemandDataGather"). reportProblemsToJiraComponent("insights"). contactPerson("tremes"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -437,6 +510,7 @@ var ( reportProblemsToJiraComponent("metal"). contactPerson("EmilienM"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -444,6 +518,7 @@ var ( reportProblemsToJiraComponent("insights"). contactPerson("tremes"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -451,6 +526,7 @@ var ( reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("jerzhang"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -458,6 +534,7 @@ var ( reportProblemsToJiraComponent("Monitoring"). contactPerson("rexagod"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -465,6 +542,7 @@ var ( reportProblemsToJiraComponent("Storage / Kubernetes External Components"). contactPerson("rbednar"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -472,12 +550,14 @@ var ( reportProblemsToJiraComponent("Installer"). contactPerson("cjschaef"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() FeatureGateChunkSizeMiB = newFeatureGate("ChunkSizeMiB"). reportProblemsToJiraComponent("Image Registry"). contactPerson("flavianmissi"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -485,12 +565,14 @@ var ( reportProblemsToJiraComponent("OCPCLOUD"). contactPerson("jspeed"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() FeatureGatePersistentIPsForVirtualization = newFeatureGate("PersistentIPsForVirtualization"). reportProblemsToJiraComponent("CNV Network"). contactPerson("mduarted"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -498,6 +580,7 @@ var ( reportProblemsToJiraComponent("Monitoring"). contactPerson("marioferh"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -505,6 +588,7 @@ var ( reportProblemsToJiraComponent("Installer"). contactPerson("r4f4"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -512,12 +596,14 @@ var ( reportProblemsToJiraComponent("Installer"). contactPerson("r4f4"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() FeatureGateMultiArchInstallGCP = newFeatureGate("MultiArchInstallGCP"). reportProblemsToJiraComponent("Installer"). contactPerson("r4f4"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -525,6 +611,7 @@ var ( reportProblemsToJiraComponent("Routing"). contactPerson("miciah"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -532,6 +619,7 @@ var ( reportProblemsToJiraComponent("Storage / Kubernetes External Components"). contactPerson("fbertina"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -539,6 +627,7 @@ var ( reportProblemsToJiraComponent("Multi-Arch"). contactPerson("psundara"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -546,6 +635,7 @@ var ( reportProblemsToJiraComponent("Node"). contactPerson("haircommander"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -553,6 +643,7 @@ var ( reportProblemsToJiraComponent("Node"). contactPerson("haircommander"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/127"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -560,6 +651,7 @@ var ( reportProblemsToJiraComponent("Node"). contactPerson("haircommander"). productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4265"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -567,6 +659,38 @@ var ( reportProblemsToJiraComponent("SPLAT"). contactPerson("rvanderp"). productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateIngressControllerDynamicConfigurationManager = newFeatureGate("IngressControllerDynamicConfigurationManager"). + reportProblemsToJiraComponent("Networking/router"). + contactPerson("miciah"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateMinimumKubeletVersion = newFeatureGate("MinimumKubeletVersion"). + reportProblemsToJiraComponent("Node"). + contactPerson("haircommander"). + productScope(ocpSpecific). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enhancementPR("https://github.com/openshift/enhancements/pull/1697"). + mustRegister() + + FeatureGateNutanixMultiSubnets = newFeatureGate("NutanixMultiSubnets"). + reportProblemsToJiraComponent("Cloud Compute / Nutanix Provider"). + contactPerson("yanhli"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1711"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + + FeatureGateResilientWatchCacheInitialization = newFeatureGate("ResilientWatchCacheInitialization"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("p0lyn0mial"). + productScope(kubernetes). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4568"). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/features/legacyfeaturegates.go b/vendor/github.com/openshift/api/features/legacyfeaturegates.go new file mode 100644 index 000000000000..06e1600e0d91 --- /dev/null +++ b/vendor/github.com/openshift/api/features/legacyfeaturegates.go @@ -0,0 +1,129 @@ +package features + +import "k8s.io/apimachinery/pkg/util/sets" + +var legacyFeatureGates = sets.New( + "AWSClusterHostedDNS", + // never add to this list, if you think you have an exception ask @deads2k + "AWSEFSDriverVolumeMetrics", + // never add to this list, if you think you have an exception ask @deads2k + "AdditionalRoutingCapabilities", + // never add to this list, if you think you have an exception ask @deads2k + "AdminNetworkPolicy", + // never add to this list, if you think you have an exception ask @deads2k + "AlibabaPlatform", + // never add to this list, if you think you have an exception ask @deads2k + "AutomatedEtcdBackup", + // never add to this list, if you think you have an exception ask @deads2k + "AzureWorkloadIdentity", + // never add to this list, if you think you have an exception ask @deads2k + "BareMetalLoadBalancer", + // never add to this list, if you think you have an exception ask @deads2k + "BootcNodeManagement", + // never add to this list, if you think you have an exception ask @deads2k + "BuildCSIVolumes", + // never add to this list, if you think you have an exception ask @deads2k + "ChunkSizeMiB", + // never add to this list, if you think you have an exception ask @deads2k + "ClusterAPIInstall", + // never add to this list, if you think you have an exception ask @deads2k + "ClusterAPIInstallIBMCloud", + // never add to this list, if you think you have an exception ask @deads2k + "ClusterMonitoringConfig", + // never add to this list, if you think you have an exception ask @deads2k + "DNSNameResolver", + // never add to this list, if you think you have an exception ask @deads2k + "EtcdBackendQuota", + // never add to this list, if you think you have an exception ask @deads2k + "Example", + // never add to this list, if you think you have an exception ask @deads2k + "GCPClusterHostedDNS", + // never add to this list, if you think you have an exception ask @deads2k + "GCPLabelsTags", + // never add to this list, if you think you have an exception ask @deads2k + "GatewayAPI", + // never add to this list, if you think you have an exception ask @deads2k + "HardwareSpeed", + // never add to this list, if you think you have an exception ask @deads2k + "ImageStreamImportMode", + // never add to this list, if you think you have an exception ask @deads2k + "IngressControllerDynamicConfigurationManager", + // never add to this list, if you think you have an exception ask @deads2k + "IngressControllerLBSubnetsAWS", + // never add to this list, if you think you have an exception ask @deads2k + "InsightsConfig", + // never add to this list, if you think you have an exception ask @deads2k + "InsightsConfigAPI", + // never add to this list, if you think you have an exception ask @deads2k + "InsightsOnDemandDataGather", + // never add to this list, if you think you have an exception ask @deads2k + "InsightsRuntimeExtractor", + // never add to this list, if you think you have an exception ask @deads2k + "KMSv1", + // never add to this list, if you think you have an exception ask @deads2k + "MachineAPIMigration", + // never add to this list, if you think you have an exception ask @deads2k + "MachineAPIOperatorDisableMachineHealthCheckController", + // never add to this list, if you think you have an exception ask @deads2k + "MachineAPIProviderOpenStack", + // never add to this list, if you think you have an exception ask @deads2k + "MachineConfigNodes", + // never add to this list, if you think you have an exception ask @deads2k + "ManagedBootImages", + // never add to this list, if you think you have an exception ask @deads2k + "ManagedBootImagesAWS", + // never add to this list, if you think you have an exception ask @deads2k + "MetricsCollectionProfiles", + // never add to this list, if you think you have an exception ask @deads2k + "MixedCPUsAllocation", + // never add to this list, if you think you have an exception ask @deads2k + "MultiArchInstallAWS", + // never add to this list, if you think you have an exception ask @deads2k + "MultiArchInstallAzure", + // never add to this list, if you think you have an exception ask @deads2k + "MultiArchInstallGCP", + // never add to this list, if you think you have an exception ask @deads2k + "NetworkDiagnosticsConfig", + // never add to this list, if you think you have an exception ask @deads2k + "NetworkLiveMigration", + // never add to this list, if you think you have an exception ask @deads2k + "NetworkSegmentation", + // never add to this list, if you think you have an exception ask @deads2k + "NewOLM", + // never add to this list, if you think you have an exception ask @deads2k + "NodeDisruptionPolicy", + // never add to this list, if you think you have an exception ask @deads2k + "OVNObservability", + // never add to this list, if you think you have an exception ask @deads2k + "OnClusterBuild", + // never add to this list, if you think you have an exception ask @deads2k + "PersistentIPsForVirtualization", + // never add to this list, if you think you have an exception ask @deads2k + "PinnedImages", + // never add to this list, if you think you have an exception ask @deads2k + "PlatformOperators", + // never add to this list, if you think you have an exception ask @deads2k + "PrivateHostedZoneAWS", + // never add to this list, if you think you have an exception ask @deads2k + "RouteAdvertisements", + // never add to this list, if you think you have an exception ask @deads2k + "RouteExternalCertificate", + // never add to this list, if you think you have an exception ask @deads2k + "SetEIPForNLBIngressController", + // never add to this list, if you think you have an exception ask @deads2k + "SignatureStores", + // never add to this list, if you think you have an exception ask @deads2k + "SigstoreImageVerification", + // never add to this list, if you think you have an exception ask @deads2k + "UpgradeStatus", + // never add to this list, if you think you have an exception ask @deads2k + "VSphereControlPlaneMachineSet", + // never add to this list, if you think you have an exception ask @deads2k + "VSphereDriverConfiguration", + // never add to this list, if you think you have an exception ask @deads2k + "VSphereMultiNetworks", + // never add to this list, if you think you have an exception ask @deads2k + "VSphereMultiVCenters", + // never add to this list, if you think you have an exception ask @deads2k + "VSphereStaticIPs", +) diff --git a/vendor/github.com/openshift/api/features/util.go b/vendor/github.com/openshift/api/features/util.go index d8d8e94a0e9e..59bb7bff4078 100644 --- a/vendor/github.com/openshift/api/features/util.go +++ b/vendor/github.com/openshift/api/features/util.go @@ -3,6 +3,8 @@ package features import ( "fmt" configv1 "github.com/openshift/api/config/v1" + "net/url" + "strings" ) // FeatureGateDescription is a golang-only interface used to contains details for a feature gate. @@ -18,6 +20,8 @@ type FeatureGateDescription struct { ResponsiblePerson string // OwningProduct is the product that owns the lifecycle of the gate. OwningProduct OwningProduct + // EnhancementPR is the PR for the enhancement. + EnhancementPR string } type FeatureGateEnabledDisabled struct { @@ -45,10 +49,15 @@ type featureGateBuilder struct { owningJiraComponent string responsiblePerson string owningProduct OwningProduct + enhancementPRURL string statusByClusterProfileByFeatureSet map[ClusterProfileName]map[configv1.FeatureSet]bool } +const ( + legacyFeatureGateWithoutEnhancement = "FeatureGate predates 4.18" +) + // newFeatureGate featuregate are disabled in every FeatureSet and selectively enabled func newFeatureGate(name string) *featureGateBuilder { b := &featureGateBuilder{ @@ -80,6 +89,11 @@ func (b *featureGateBuilder) productScope(owningProduct OwningProduct) *featureG return b } +func (b *featureGateBuilder) enhancementPR(url string) *featureGateBuilder { + b.enhancementPRURL = url + return b +} + func (b *featureGateBuilder) enableIn(featureSets ...configv1.FeatureSet) *featureGateBuilder { for clusterProfile := range b.statusByClusterProfileByFeatureSet { for _, featureSet := range featureSets { @@ -109,6 +123,22 @@ func (b *featureGateBuilder) register() (configv1.FeatureGateName, error) { if len(b.owningProduct) == 0 { return "", fmt.Errorf("missing owningProduct") } + _, enhancementPRErr := url.Parse(b.enhancementPRURL) + switch { + case b.enhancementPRURL == legacyFeatureGateWithoutEnhancement: + if !legacyFeatureGates.Has(b.name) { + return "", fmt.Errorf("FeatureGate/%s is a new feature gate, not an existing one. It must have an enhancementPR with GA Graduation Criteria like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/####", b.name) + } + + case len(b.enhancementPRURL) == 0: + return "", fmt.Errorf("FeatureGate/%s is missing an enhancementPR with GA Graduation Criteria like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/####", b.name) + + case !strings.HasPrefix(b.enhancementPRURL, "https://github.com/openshift/enhancements/pull/") && !strings.HasPrefix(b.enhancementPRURL, "https://github.com/kubernetes/enhancements/issues/"): + return "", fmt.Errorf("FeatureGate/%s enhancementPR format is incorrect; must be like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/####", b.name) + + case enhancementPRErr != nil: + return "", fmt.Errorf("FeatureGate/%s is enhancementPR is invalid: %w", b.name, enhancementPRErr) + } featureGateName := configv1.FeatureGateName(b.name) description := FeatureGateDescription{ @@ -118,6 +148,7 @@ func (b *featureGateBuilder) register() (configv1.FeatureGateName, error) { OwningJiraComponent: b.owningJiraComponent, ResponsiblePerson: b.responsiblePerson, OwningProduct: b.owningProduct, + EnhancementPR: b.enhancementPRURL, } // statusByClusterProfileByFeatureSet is initialized by constructor to be false for every combination diff --git a/vendor/github.com/openshift/api/kubecontrolplane/v1/types.go b/vendor/github.com/openshift/api/kubecontrolplane/v1/types.go index b9cdcc213b84..6d29f42e3fcd 100644 --- a/vendor/github.com/openshift/api/kubecontrolplane/v1/types.go +++ b/vendor/github.com/openshift/api/kubecontrolplane/v1/types.go @@ -62,6 +62,25 @@ type KubeAPIServerConfig struct { // TODO this needs to be removed. APIServerArguments map[string]Arguments `json:"apiServerArguments"` + + // minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. + // Specifically, the apiserver will deny most authorization requests of kubelets that are older + // than the specified version, only allowing the kubelet to get and update its node object, and perform + // subjectaccessreviews. + // This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, + // and will eventually be marked as not ready. + // Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + // Since the kubelet reports the version of the kubernetes release, not Openshift, this field references + // the underlying kubernetes version this version of Openshift is based off of. + // In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then + // they should set the minimumKubeletVersion to 1.30.0. + // When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. + // Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier. + // +kubebuilder:validation:XValidation:rule="self == \"\" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')",message="minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty" + // +kubebuilder:validation:MaxLength:=8 + // +openshift:enable:FeatureGate=MinimumKubeletVersion + // +optional + MinimumKubeletVersion string `json:"minimumKubeletVersion"` } // Arguments masks the value so protobuf can generate diff --git a/vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go index 906bb271b00b..5ecdd0583926 100644 --- a/vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go @@ -33,6 +33,7 @@ var map_KubeAPIServerConfig = map[string]string{ "projectConfig": "projectConfig feeds an admission plugin", "serviceAccountPublicKeyFiles": "serviceAccountPublicKeyFiles is a list of files, each containing a PEM-encoded public RSA key. (If any file contains a private key, the public portion of the key is used) The list of public keys is used to verify presented service account tokens. Each key is tried in order until the list is exhausted or verification succeeds. If no keys are specified, no service account authentication will be available.", "oauthConfig": "oauthConfig, if present start the /oauth endpoint in this process", + "minimumKubeletVersion": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", } func (KubeAPIServerConfig) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go index f458cbf6eff8..0a0567d630a2 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_vsphereprovider.go @@ -190,6 +190,10 @@ type Workspace struct { // ResourcePool is the resource pool in which VMs are created/located. // +optional ResourcePool string `gcfg:"resourcepool-path,omitempty" json:"resourcePool,omitempty"` + // vmGroup is the cluster vm group in which virtual machines will be added for vm host group based zonal. + // +openshift:validation:featureGate=VSphereHostVMGroupZonal + // +optional + VMGroup string `gcfg:"vmGroup,omitempty" json:"vmGroup,omitempty"` } // VSphereMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go index 5bba232bf7f1..99540dde5e0d 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go @@ -822,6 +822,7 @@ var map_Workspace = map[string]string{ "folder": "Folder is the folder in which VMs are created/located.", "datastore": "Datastore is the datastore in which VMs are created/located.", "resourcePool": "ResourcePool is the resource pool in which VMs are created/located.", + "vmGroup": "vmGroup is the cluster vm group in which virtual machines will be added for vm host group based zonal.", } func (Workspace) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/types.go b/vendor/github.com/openshift/api/machineconfiguration/v1/types.go index 574c90035a68..01644fcf7784 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/types.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/types.go @@ -196,7 +196,8 @@ type ControllerConfigStatus struct { ObservedGeneration int64 `json:"observedGeneration,omitempty"` // conditions represents the latest available observations of current state. - // +listType=atomic + // +listType=map + // +listMapKey=type // +optional Conditions []ControllerConfigStatusCondition `json:"conditions"` diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml index c2cac2c544d3..96dff59f312a 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml @@ -28,9 +28,11 @@ controllerconfigs.machineconfiguration.openshift.io: Capability: "" Category: "" FeatureGates: + - AWSClusterHostedDNS - BareMetalLoadBalancer - GCPClusterHostedDNS - GCPLabelsTags + - NutanixMultiSubnets - VSphereControlPlaneMachineSet - VSphereMultiNetworks - VSphereMultiVCenters diff --git a/vendor/github.com/openshift/api/operator/v1/register.go b/vendor/github.com/openshift/api/operator/v1/register.go index 21919f9a8be6..5920c4fca71d 100644 --- a/vendor/github.com/openshift/api/operator/v1/register.go +++ b/vendor/github.com/openshift/api/operator/v1/register.go @@ -62,6 +62,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &OpenShiftAPIServerList{}, &OpenShiftControllerManager{}, &OpenShiftControllerManagerList{}, + &OLM{}, + &OLMList{}, &ServiceCA{}, &ServiceCAList{}, &ServiceCatalogAPIServer{}, diff --git a/vendor/github.com/openshift/api/operator/v1/types.go b/vendor/github.com/openshift/api/operator/v1/types.go index eeb8afdc6d22..f04b6846aee5 100644 --- a/vendor/github.com/openshift/api/operator/v1/types.go +++ b/vendor/github.com/openshift/api/operator/v1/types.go @@ -147,17 +147,27 @@ type GenerationStatus struct { // group is the group of the thing you're tracking // +kubebuilder:validation:Required Group string `json:"group"` + // resource is the resource type of the thing you're tracking // +kubebuilder:validation:Required Resource string `json:"resource"` + // namespace is where the thing you're tracking is // +kubebuilder:validation:Required Namespace string `json:"namespace"` + // name is the name of the thing you're tracking // +kubebuilder:validation:Required Name string `json:"name"` + + // TODO: Add validation for lastGeneration. The value for this field should generally increase, except when the associated + // resource has been deleted and re-created. To accurately validate this field, we should introduce a new UID field and only + // enforce an increasing value in lastGeneration when the UID remains unchanged. A change in the UID indicates that the resource + // was re-created, allowing the lastGeneration value to reset or decrease. + // lastGeneration is the last generation of the workload controller involved LastGeneration int64 `json:"lastGeneration"` + // hash is an optional field set for resources without generation that are content sensitive like secrets and configmaps Hash string `json:"hash"` } @@ -178,12 +188,34 @@ var ( // OperatorCondition is just the standard condition fields. type OperatorCondition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required // +kubebuilder:validation:Required - Type string `json:"type"` - Status ConditionStatus `json:"status"` - LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"` - Reason string `json:"reason,omitempty"` - Message string `json:"message,omitempty"` + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type" protobuf:"bytes,1,opt,name=type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"` + + Reason string `json:"reason,omitempty"` + + Message string `json:"message,omitempty"` } type ConditionStatus string diff --git a/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go b/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go index 0644b6a93c72..fa81ea7d79f1 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go +++ b/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go @@ -20,7 +20,7 @@ import ( // +kubebuilder:resource:path=clustercsidrivers,scope=Cluster // +kubebuilder:subresource:status // +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/701 -// +openshift:file-pattern=cvoRunLevel=0000_90,operatorName=csi-driver,operatorOrdering=01 +// +openshift:file-pattern=cvoRunLevel=0000_50,operatorName=csi-driver,operatorOrdering=01 // ClusterCSIDriver object allows management and configuration of a CSI driver operator // installed by default in OpenShift. Name of the object must be name of the CSI driver @@ -71,7 +71,7 @@ const ( RemovedStorageClass StorageClassStateName = "Removed" ) -// If you are adding a new driver name here, ensure that 0000_90_cluster_csi_driver_01_config.crd.yaml-merge-patch file is also updated with new driver name. +// If you are adding a new driver name here, ensure that 0000_50_cluster_csi_driver_01_config.crd.yaml-merge-patch file is also updated with new driver name. const ( AWSEBSCSIDriver CSIDriverName = "ebs.csi.aws.com" AWSEFSCSIDriver CSIDriverName = "efs.csi.aws.com" diff --git a/vendor/github.com/openshift/api/operator/v1/types_ingress.go b/vendor/github.com/openshift/api/operator/v1/types_ingress.go index 7ae22ee0a7ce..1f5664345649 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_ingress.go +++ b/vendor/github.com/openshift/api/operator/v1/types_ingress.go @@ -392,6 +392,7 @@ type CIDR string // LoadBalancerStrategy holds parameters for a load balancer. // +openshift:validation:FeatureGateAwareXValidation:featureGate=SetEIPForNLBIngressController,rule="!has(self.scope) || self.scope != 'Internal' || !has(self.providerParameters) || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)",message="eipAllocations are forbidden when the scope is Internal." +// +kubebuilder:validation:XValidation:rule=`!has(self.scope) || self.scope != 'Internal' || !has(self.providerParameters) || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) || self.providerParameters.openstack.floatingIP == ""`,message="cannot specify a floating ip when scope is internal" type LoadBalancerStrategy struct { // scope indicates the scope at which the load balancer is exposed. // Possible values are "External" and "Internal". @@ -678,19 +679,28 @@ type IBMLoadBalancerParameters struct { // OpenStackLoadBalancerParameters provides configuration settings that are // specific to OpenStack load balancers. type OpenStackLoadBalancerParameters struct { - // loadBalancerIP specifies the floating IP address that the load balancer will use. + // loadBalancerIP is tombstoned since the field was replaced by floatingIP. + // LoadBalancerIP string `json:"loadBalancerIP,omitempty"` + + // floatingIP specifies the IP address that the load balancer will use. // When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + // When specified, the floating IP has to be pre-created. If the + // specified value is not a floating IP or is already claimed, the + // OpenStack cloud provider won't be able to provision the load + // balancer. + // This field may only be used if the IngressController has External scope. // This value must be a valid IPv4 or IPv6 address. // + --- - // + Note: this field is meant to be set by the ingress controller to populate the - // + `Service.Spec.LoadBalancerIP` field which has been deprecated in Kubernetes: + // + Note: this field is meant to be set by the ingress controller + // + to populate the `Service.Spec.LoadBalancerIP` field which has been + // + deprecated in Kubernetes: // + https://github.com/kubernetes/kubernetes/pull/107235 // + However, the field is still used by cloud-provider-openstack to reconcile - // + the floating IP that we attach to the load balancer. + // + the floating IP that we attach to the external load balancer. // - // +kubebuilder:validation:XValidation:rule="isIP(self)",message="loadBalancerIP must be a valid IPv4 or IPv6 address" + // +kubebuilder:validation:XValidation:rule="isIP(self)",message="floatingIP must be a valid IPv4 or IPv6 address" // +optional - LoadBalancerIP string `json:"loadBalancerIP,omitempty"` + FloatingIP string `json:"floatingIP,omitempty"` } // AWSClassicLoadBalancerParameters holds configuration parameters for an diff --git a/vendor/github.com/openshift/api/operator/v1/types_olm.go b/vendor/github.com/openshift/api/operator/v1/types_olm.go new file mode 100644 index 000000000000..1ce349d357f9 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/types_olm.go @@ -0,0 +1,61 @@ +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// OLM provides information to configure an operator to manage the OLM controllers +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=olms,scope=Cluster +// +kubebuilder:subresource:status +// +kubebuilder:metadata:annotations=include.release.openshift.io/ibm-cloud-managed=false +// +kubebuilder:metadata:annotations=include.release.openshift.io/self-managed-high-availability=true +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1504 +// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=operator-lifecycle-manager,operatorOrdering=01 +// +openshift:enable:FeatureGate=NewOLM +// +openshift:capability=OperatorLifecycleManagerV1 +// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'cluster'",message="olm is a singleton, .metadata.name must be 'cluster'" +type OLM struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ObjectMeta `json:"metadata"` + + //spec holds user settable values for configuration + //+kubebuilder:validation:Required + Spec OLMSpec `json:"spec"` + // status holds observed values from the cluster. They may not be overridden. + // +optional + Status OLMStatus `json:"status"` +} + +type OLMSpec struct { + OperatorSpec `json:",inline"` +} + +type OLMStatus struct { + OperatorStatus `json:",inline"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// OLMList is a collection of items +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type OLMList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ListMeta `json:"metadata"` + + // Items contains the items + Items []OLM `json:"items"` +} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go index 84edc0cab387..3b984f2a618b 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go @@ -3834,6 +3834,101 @@ func (in *OAuthAPIServerStatus) DeepCopy() *OAuthAPIServerStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OLM) DeepCopyInto(out *OLM) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OLM. +func (in *OLM) DeepCopy() *OLM { + if in == nil { + return nil + } + out := new(OLM) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OLM) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OLMList) DeepCopyInto(out *OLMList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OLM, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OLMList. +func (in *OLMList) DeepCopy() *OLMList { + if in == nil { + return nil + } + out := new(OLMList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OLMList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OLMSpec) DeepCopyInto(out *OLMSpec) { + *out = *in + in.OperatorSpec.DeepCopyInto(&out.OperatorSpec) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OLMSpec. +func (in *OLMSpec) DeepCopy() *OLMSpec { + if in == nil { + return nil + } + out := new(OLMSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OLMStatus) DeepCopyInto(out *OLMStatus) { + *out = *in + in.OperatorStatus.DeepCopyInto(&out.OperatorStatus) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OLMStatus. +func (in *OLMStatus) DeepCopy() *OLMStatus { + if in == nil { + return nil + } + out := new(OLMStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OVNKubernetesConfig) DeepCopyInto(out *OVNKubernetesConfig) { *out = *in diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml index 9ed8975177ca..d45d8ac3004f 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml @@ -73,7 +73,7 @@ clustercsidrivers.operator.openshift.io: - VSphereDriverConfiguration FilenameOperatorName: csi-driver FilenameOperatorOrdering: "01" - FilenameRunLevel: "0000_90" + FilenameRunLevel: "0000_50" GroupName: operator.openshift.io HasStatus: true KindName: ClusterCSIDriver @@ -346,6 +346,31 @@ networks.operator.openshift.io: TopLevelFeatureGates: [] Version: v1 +olms.operator.openshift.io: + Annotations: + include.release.openshift.io/ibm-cloud-managed: "false" + include.release.openshift.io/self-managed-high-availability: "true" + ApprovedPRNumber: https://github.com/openshift/api/pull/1504 + CRDName: olms.operator.openshift.io + Capability: OperatorLifecycleManagerV1 + Category: "" + FeatureGates: + - NewOLM + FilenameOperatorName: operator-lifecycle-manager + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_10" + GroupName: operator.openshift.io + HasStatus: true + KindName: OLM + Labels: {} + PluralName: olms + PrinterColumns: [] + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - NewOLM + Version: v1 + openshiftapiservers.operator.openshift.io: Annotations: {} ApprovedPRNumber: https://github.com/openshift/api/pull/475 diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index a3a78a89b7c7..3c00fe2f032a 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -52,7 +52,10 @@ func (NodeStatus) SwaggerDoc() map[string]string { } var map_OperatorCondition = map[string]string{ - "": "OperatorCondition is just the standard condition fields.", + "": "OperatorCondition is just the standard condition fields.", + "type": "type of condition in CamelCase or in foo.example.com/CamelCase.", + "status": "status of the condition, one of True, False, Unknown.", + "lastTransitionTime": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", } func (OperatorCondition) SwaggerDoc() map[string]string { @@ -1122,8 +1125,8 @@ func (NodePortStrategy) SwaggerDoc() map[string]string { } var map_OpenStackLoadBalancerParameters = map[string]string{ - "": "OpenStackLoadBalancerParameters provides configuration settings that are specific to OpenStack load balancers.", - "loadBalancerIP": "loadBalancerIP specifies the floating IP address that the load balancer will use. When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. This value must be a valid IPv4 or IPv6 address. ", + "": "OpenStackLoadBalancerParameters provides configuration settings that are specific to OpenStack load balancers.", + "floatingIP": "floatingIP specifies the IP address that the load balancer will use. When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. When specified, the floating IP has to be pre-created. If the specified value is not a floating IP or is already claimed, the OpenStack cloud provider won't be able to provision the load balancer. This field may only be used if the IngressController has External scope. This value must be a valid IPv4 or IPv6 address. ", } func (OpenStackLoadBalancerParameters) SwaggerDoc() map[string]string { @@ -1893,6 +1896,27 @@ func (StaticIPAMRoutes) SwaggerDoc() map[string]string { return map_StaticIPAMRoutes } +var map_OLM = map[string]string{ + "": "OLM provides information to configure an operator to manage the OLM controllers\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec holds user settable values for configuration", + "status": "status holds observed values from the cluster. They may not be overridden.", +} + +func (OLM) SwaggerDoc() map[string]string { + return map_OLM +} + +var map_OLMList = map[string]string{ + "": "OLMList is a collection of items\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "Items contains the items", +} + +func (OLMList) SwaggerDoc() map[string]string { + return map_OLMList +} + var map_OpenShiftAPIServer = map[string]string{ "": "OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/types_olm.go b/vendor/github.com/openshift/api/operator/v1alpha1/types_olm.go index f29385b9fa1b..748834ca99d4 100644 --- a/vendor/github.com/openshift/api/operator/v1alpha1/types_olm.go +++ b/vendor/github.com/openshift/api/operator/v1alpha1/types_olm.go @@ -17,6 +17,8 @@ import ( // +kubebuilder:object:root=true // +kubebuilder:resource:path=olms,scope=Cluster // +kubebuilder:subresource:status +// +kubebuilder:metadata:annotations=include.release.openshift.io/ibm-cloud-managed=false +// +kubebuilder:metadata:annotations=include.release.openshift.io/self-managed-high-availability=true // +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1504 // +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=operator-lifecycle-manager,operatorOrdering=01 // +openshift:enable:FeatureGate=NewOLM diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.featuregated-crd-manifests.yaml index 30c058236da8..53d8ff23c328 100644 --- a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.featuregated-crd-manifests.yaml @@ -44,7 +44,9 @@ imagecontentsourcepolicies.operator.openshift.io: Version: v1alpha1 olms.operator.openshift.io: - Annotations: {} + Annotations: + include.release.openshift.io/ibm-cloud-managed: "false" + include.release.openshift.io/self-managed-high-availability: "true" ApprovedPRNumber: https://github.com/openshift/api/pull/1504 CRDName: olms.operator.openshift.io Capability: "" diff --git a/vendor/modules.txt b/vendor/modules.txt index c297f31ebcb7..4090d476d7cc 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -810,7 +810,7 @@ github.com/opencontainers/runtime-spec/specs-go github.com/opencontainers/selinux/go-selinux github.com/opencontainers/selinux/go-selinux/label github.com/opencontainers/selinux/pkg/pwalkdir -# github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f +# github.com/openshift/api v0.0.0-20241128230347-e456392b2cb4 ## explicit; go 1.22.0 github.com/openshift/api github.com/openshift/api/annotations diff --git a/zz_generated.manifests/test-reporting.yaml b/zz_generated.manifests/test-reporting.yaml index a79212e9a66f..b86564a46ce9 100644 --- a/zz_generated.manifests/test-reporting.yaml +++ b/zz_generated.manifests/test-reporting.yaml @@ -122,6 +122,22 @@ spec: - testName: '[sig-instrumentation][OCPFeatureGate:MetricsCollectionProfiles] The collection profiles feature-set initially, in a homogeneous default environment, should expose default metrics' + - featureGate: MinimumKubeletVersion + tests: + - testName: '[sig-node][OCPFeatureGate:MinimumKubeletVersion] [Serial] authorization + should be able to get node' + - testName: '[sig-node][OCPFeatureGate:MinimumKubeletVersion] [Serial] authorization + should be able to list pods if new enough' + - testName: '[sig-node][OCPFeatureGate:MinimumKubeletVersion] [Serial] authorization + should be able to perform subjectaccessreviews' + - testName: '[sig-node][OCPFeatureGate:MinimumKubeletVersion] [Serial] authorization + should block node from listing pods if too old' + - testName: '[sig-node][OCPFeatureGate:MinimumKubeletVersion] admission admission + should allow an empty minimum kubelet version' + - testName: '[sig-node][OCPFeatureGate:MinimumKubeletVersion] admission admission + should allow an old minimum kubelet version' + - testName: '[sig-node][OCPFeatureGate:MinimumKubeletVersion] admission admission + should not allow with a new minimum kubelet version' - featureGate: NetworkDiagnosticsConfig tests: - testName: '[sig-network][OCPFeatureGate:NetworkDiagnosticsConfig][Serial] Should