diff --git a/Makefile b/Makefile index af34fe6..650ac2d 100644 --- a/Makefile +++ b/Makefile @@ -27,16 +27,23 @@ ifeq ($(GOHOSTOS),darwin) endif endif +ImageCredentials?="" update: hack/update.sh install-mce: ensure-helm - $(HELM) upgrade --install mce ./e2e/mce-chart + $(HELM) upgrade --install mce ./hack/mce-chart --set-file images.imageCredentials.dockerConfigJson=$(ImageCredentials) install-policy: ensure-helm $(HELM) upgrade --install policy ./policy +install-e2e-mce: ensure-helm + $(HELM) upgrade --install mce ./hack/mce-chart -f ./test/configuration/mce-values.yaml + +install-e2e-policy: ensure-helm + $(HELM) upgrade --install policy ./policy -f ./test/configuration/policy-values.yaml + e2e-install: hack/e2e-install.sh diff --git a/README.md b/README.md index f4bd294..36ecb39 100644 --- a/README.md +++ b/README.md @@ -9,19 +9,13 @@ The MCE operator is required to be installed on the Hub cluster. # Configure the MCE -1. Set the hub api server to the `spec.hubKubeAPIServerURL` in the `global` `klusterletConfig`, and then apply it. - -``` -kubectl apply -f ./configuration/klusterletconfig.yaml -``` - -2. Apply a `AddOnDeploymentConfig` for add-ons working in hosted mode. +1. Apply a `AddOnDeploymentConfig` for add-ons working in hosted mode. ``` kubectl apply -f ./configuration/addonhostedconfig.yaml ``` -3. Patch work-manager add-on to support hosted mode. +2. Patch work-manager add-on to support hosted mode. ``` kubectl patch clustermanagementaddon work-manager --type merge -p '{"spec":{"supportedConfigs":[{"defaultConfig":{"name":"addon-hosted-config","namespace":"multicluster-engine"},"group":"addon.open-cluster-management.io","resource":"addondeploymentconfigs"}]}}' diff --git a/configuration/klusterletconfig.yaml b/configuration/klusterletconfig.yaml index 9c1895a..d351fe9 100644 --- a/configuration/klusterletconfig.yaml +++ b/configuration/klusterletconfig.yaml @@ -3,4 +3,4 @@ kind: KlusterletConfig metadata: name: global spec: - hubKubeAPIServerURL: "hub cluster api server url" + hubKubeAPIServerURL: "https://kubernetes.default.svc:443" diff --git a/configuration/multiclusterengine.yaml b/configuration/multiclusterengine.yaml index ebe6051..4c1b0e7 100644 --- a/configuration/multiclusterengine.yaml +++ b/configuration/multiclusterengine.yaml @@ -17,7 +17,7 @@ spec: name: hypershift-local-hosting - enabled: true name: hypershift - - enabled: false + - enabled: true name: cluster-lifecycle - enabled: false name: discovery diff --git a/hack/e2e-install.sh b/hack/e2e-install.sh index 68cf57c..80b6e9f 100755 --- a/hack/e2e-install.sh +++ b/hack/e2e-install.sh @@ -42,14 +42,7 @@ function waitForReady() { echo "" echo "#### Install MCE on Hub cluster ####" -make ensure-helm - -# install released mce -# helm install mce ./hack/mce-chart --set-file images.imageCredentials.dockerConfigJson=pullsecret.json - -# install upstream mce -$HELM install mce ./hack/mce-chart -f ./test/configuration/mce-values.yaml - +make install-e2e-mce echo "" echo "###### Wait until MCE pod is running ######" @@ -62,13 +55,16 @@ waitForReady "kubectl get clustermanagers.operator.open-cluster-management.io | echo "" echo "#### Configure MCE ####" +# the crd should be installed by hypershift operator +# install it manully because does not install hypershift operator in kind cluster echo "" -echo "###### Wait until klusterletconfig CRD is installed ######" -waitForReady "kubectl get crds | grep -c \"klusterletconfigs\"" 1 +echo "###### Apply hostedCluster CRD to make hypershift addon Available ######" +kubectl create -f ./test/configuration/hostedclusters-crd.yaml + echo "" -echo "###### Create global klusterletconfig ######" -kubectl apply -f ./test/configuration/klusterletconfig.yaml +echo "###### klusterletconfig is for managed cluster ######" +kubectl apply -f configuration/klusterletconfig.yaml echo "" echo "###### Wait unitl local-cluster is created ######" @@ -90,9 +86,7 @@ kubectl apply -f ./configuration/workmanagercma.yaml echo "" echo "#### Install Policy addons #####" -make ensure-helm -$HELM install policy ./policy -f ./test/configuration/policy-values.yaml - +make install-e2e-policy echo "" echo "###### Enable policy addons for local-cluster ######" diff --git a/hack/mce-chart/templates/deployment.yaml b/hack/mce-chart/templates/deployment.yaml index 5af4ef7..a0f043e 100644 --- a/hack/mce-chart/templates/deployment.yaml +++ b/hack/mce-chart/templates/deployment.yaml @@ -95,8 +95,6 @@ spec: value: quay.io/stolostron/cluster-proxy-addon@sha256 - name: OPERAND_IMAGE_CLUSTERCLAIMS_CONTROLLER value: quay.io/stolostron/clusterclaims-controller@sha256 - - name: OPERAND_IMAGE_CLUSTERLIFECYCLE_STATE_METRICS - value: quay.io/stolostron/clusterlifecycle-state-metrics@sha256 - name: OPERAND_IMAGE_CONSOLE_MCE value: quay.io/stolostron/console-mce@sha256 - name: OPERAND_IMAGE_DISCOVERY_OPERATOR @@ -116,7 +114,7 @@ spec: - name: OPERAND_IMAGE_HYPERSHIFT_ADDON_OPERATOR_CANARY_TEST value: quay.io/stolostron/hypershift-addon-operator-canary-test@sha256 - name: OPERAND_IMAGE_HYPERSHIFT_OPERATOR - value: quay.io/stolostron/hypershift-operator@sha256 + value: {{ .Values.images.overrides.hypershift_operator }} - name: OPERAND_IMAGE_IMAGE_BASED_INSTALL_OPERATOR value: quay.io/stolostron/image-based-install-operator@sha256 - name: OPERAND_IMAGE_MANAGED_SERVICEACCOUNT @@ -147,6 +145,8 @@ spec: value: {{ .Values.images.overrides.work }} - name: OPERAND_IMAGE_KUBE_RBAC_PROXY_MCE value: {{ .Values.images.overrides.kube_rbac_proxy_mce }} + - name: OPERAND_IMAGE_CLUSTERLIFECYCLE_STATE_METRICS + value: {{ .Values.images.overrides.clusterlifecycle_state_metrics }} - name: OPERATOR_VERSION value: {{ .Chart.AppVersion }} - name: OPERATOR_PACKAGE diff --git a/hack/mce-chart/templates/multiclusterengine.yaml b/hack/mce-chart/templates/multiclusterengine.yaml index 1f05cb8..1293e46 100644 --- a/hack/mce-chart/templates/multiclusterengine.yaml +++ b/hack/mce-chart/templates/multiclusterengine.yaml @@ -17,7 +17,7 @@ spec: name: hypershift-local-hosting - enabled: true name: hypershift - - enabled: false + - enabled: true name: cluster-lifecycle - enabled: false name: discovery diff --git a/hack/mce-chart/values.yaml b/hack/mce-chart/values.yaml index 3ac8ee9..220c41f 100644 --- a/hack/mce-chart/values.yaml +++ b/hack/mce-chart/values.yaml @@ -6,6 +6,7 @@ images: backplane_operator: "registry.redhat.io/multicluster-engine/backplane-rhel9-operator@sha256:8c2f526398df56f92bfc62af8e42c3e373c236ab67e58e877cf9690fc480d46a" registration_operator: "registry.redhat.io/multicluster-engine/registration-operator-rhel9@sha256:8a37700e9848830dca9a3eebd4c8ca6abd7b04dc28ab5cefd743d00dd58be92a" hypershift_addon_operator: "registry.redhat.io/multicluster-engine/hypershift-addon-rhel9-operator@sha256:af40c47a901c3c1851104427d3fd9db1f0cb6205e37917dc87af57facc90d75d" + hypershift_operator: "registry.redhat.io/multicluster-engine/hypershift-rhel9-operator@sha256:161292cbf4b81c928e6dc9162dc63b02b21c93bfa92b3272f437dc4ff5a02c3a" managedcluster_import_controller: "registry.redhat.io/multicluster-engine/managedcluster-import-controller-rhel9@sha256:09a2f864c76373c9c6af4e8f7c2ffe4dffecc2637cf1647b7d2926419265e3f4" multicloud_manager: "registry.redhat.io/multicluster-engine/multicloud-manager-rhel9@sha256:a0873734a8e0d0b5092820d7ded0436c30fd572abdabb01159b53f0bb2e9d4a3" addon_manager: "registry.redhat.io/multicluster-engine/addon-manager-rhel9@sha256:25cdce9461a24748fc6631fa4394b813deabdb27d0c95956508d2a38c504a6a9" @@ -13,6 +14,6 @@ images: registration: "registry.redhat.io/multicluster-engine/registration-rhel9@sha256:26ef4145f464f1c5cdb6ab42c119766669f7f08e46cbd4185bdbd3f4cd70bb54" placement: "registry.redhat.io/multicluster-engine/placement-rhel9@sha256:737cf1d7dcdf8c32d96894eebd686caf35959232f3fd774b307cf1df8068d26c" kube_rbac_proxy_mce: "registry.redhat.io/multicluster-engine/kube-rbac-proxy-mce-rhel9@sha256:b1ada80f881131283a94d84cb37edc4b9725ccea9b66ebf8ccd6956cb515531a" - + clusterlifecycle_state_metrics: "registry.redhat.io/multicluster-engine/clusterlifecycle-state-metrics-rhel9@sha256:bf5bb514e4d8af5e38317c3727d4cd9f90c22b293fe3e2367f9f0e179e0ee0c7" imageCredentials: dockerConfigJson: "" diff --git a/test/configuration/azure-config.json b/test/configuration/azure-config.json new file mode 100644 index 0000000..8bc2753 --- /dev/null +++ b/test/configuration/azure-config.json @@ -0,0 +1,7 @@ +{ + "tenantId": "abc", + "subscriptionId": "123", + "resourceGroup": "test", + "aadClientId": "clientid", + "aadClientSecret": "clientpassword" + } \ No newline at end of file diff --git a/test/configuration/external-dns.yaml b/test/configuration/external-dns.yaml new file mode 100644 index 0000000..643155a --- /dev/null +++ b/test/configuration/external-dns.yaml @@ -0,0 +1,86 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: external-dns + namespace: hypershift +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + name: external-dns + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: external-dns + hypershift.openshift.io/operator-component: external-dns + name: external-dns + spec: + containers: + - args: + - --source=service + - --source=openshift-route + - --domain-filter=myzone + - --provider=azure + - --registry=txt + - --txt-suffix=-external-dns + - --txt-owner-id=5461617c-6757-49cd-b5ba-deda35d941f5 + - --label-filter=hypershift.openshift.io/route-visibility!=private + - --interval=1m + - --txt-cache-interval=1h + - --azure-config-file=/etc/provider/credentials + command: + - /external-dns + image: registry.redhat.io/edo/external-dns-rhel8@sha256:638fb6b5fc348f5cf52b9800d3d8e9f5315078fc9b1e57e800cb0a4a50f1b4b9 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 7979 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 5 + name: external-dns + ports: + - containerPort: 7979 + name: metrics + protocol: TCP + resources: + requests: + cpu: 5m + memory: 20Mi + securityContext: + privileged: false + readOnlyRootFilesystem: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/provider + name: credentials + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: pull-secret + - name: open-cluster-management-image-pull-credentials + priorityClassName: hypershift-operator + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: external-dns + serviceAccountName: external-dns + terminationGracePeriodSeconds: 30 + volumes: + - name: credentials + secret: + defaultMode: 420 + secretName: hypershift-operator-external-dns-credentials + diff --git a/test/configuration/hostedclusters-crd.yaml b/test/configuration/hostedclusters-crd.yaml new file mode 100644 index 0000000..aa46194 --- /dev/null +++ b/test/configuration/hostedclusters-crd.yaml @@ -0,0 +1,10324 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: hostedclusters.hypershift.openshift.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: operator + namespace: hypershift + path: /convert + port: 443 + conversionReviewVersions: + - v1beta1 + - v1alpha1 + group: hypershift.openshift.io + names: + kind: HostedCluster + listKind: HostedClusterList + plural: hostedclusters + shortNames: + - hc + - hcs + singular: hostedcluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Version + jsonPath: .status.version.history[?(@.state=="Completed")].version + name: Version + type: string + - description: KubeConfig Secret + jsonPath: .status.kubeconfig.name + name: KubeConfig + type: string + - description: Progress + jsonPath: .status.version.history[?(@.state!="")].state + name: Progress + type: string + - description: Available + jsonPath: .status.conditions[?(@.type=="Available")].status + name: Available + type: string + - description: Progressing + jsonPath: .status.conditions[?(@.type=="Progressing")].status + name: Progressing + type: string + - description: Message + jsonPath: .status.conditions[?(@.type=="Available")].message + name: Message + type: string + deprecated: true + deprecationWarning: v1alpha1 is a deprecated version for HostedCluster + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + HostedCluster is the primary representation of a HyperShift cluster and encapsulates + the control plane and common data plane configuration. Creating a HostedCluster + results in a fully functional OpenShift control plane with no attached nodes. + To support workloads (e.g. pods), a HostedCluster may have one or more associated + NodePool resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the desired behavior of the HostedCluster. + properties: + additionalTrustBundle: + description: |- + AdditionalTrustBundle is a reference to a ConfigMap containing a + PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + auditWebhook: + description: |- + AuditWebhook contains metadata for configuring an audit webhook endpoint + for a cluster to process cluster audit events. It references a secret that + contains the webhook information for the audit webhook endpoint. It is a + secret because if the endpoint has mTLS the kubeconfig will contain client + keys. The kubeconfig needs to be stored in the secret with a secret key + name that corresponds to the constant AuditWebhookKubeconfigKey. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + autoscaling: + description: |- + Autoscaling specifies auto-scaling behavior that applies to all NodePools + associated with the control plane. + properties: + maxNodeProvisionTime: + description: |- + MaxNodeProvisionTime is the maximum time to wait for node provisioning + before considering the provisioning to be unsuccessful, expressed as a Go + duration string. The default is 15 minutes. + pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ + type: string + maxNodesTotal: + description: |- + MaxNodesTotal is the maximum allowable number of nodes across all NodePools + for a HostedCluster. The autoscaler will not grow the cluster beyond this + number. + format: int32 + minimum: 0 + type: integer + maxPodGracePeriod: + description: |- + MaxPodGracePeriod is the maximum seconds to wait for graceful pod + termination before scaling down a NodePool. The default is 600 seconds. + format: int32 + minimum: 0 + type: integer + podPriorityThreshold: + description: |- + PodPriorityThreshold enables users to schedule "best-effort" pods, which + shouldn't trigger autoscaler actions, but only run when there are spare + resources available. The default is -10. + + + See the following for more details: + https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption + format: int32 + type: integer + type: object + channel: + description: |- + channel is an identifier for explicitly requesting that a non-default + set of updates be applied to this cluster. The default channel will be + contain stable updates that are appropriate for production clusters. + type: string + clusterID: + description: |- + ClusterID uniquely identifies this cluster. This is expected to be + an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in + hexadecimal values). + As with a Kubernetes metadata.uid, this ID uniquely identifies this + cluster in space and time. + This value identifies the cluster in metrics pushed to telemetry and + metrics produced by the control plane operators. If a value is not + specified, an ID is generated. After initial creation, the value is + immutable. + pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}' + type: string + configuration: + description: |- + Configuration specifies configuration for individual OCP components in the + cluster, represented as embedded resources that correspond to the openshift + configuration API. + properties: + apiServer: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request + user must be member of in order to this profile + to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption + of resources at the datastore layer. + properties: + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + type: string + type: object + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server + DNS name, as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + type: array + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + type: object + type: array + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + + If unset, a default (which may change between releases) is chosen. Note that only Old, + Intermediate and Custom profiles are currently supported, and the maximum available + minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + + ciphers: + + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-AES128-GCM-SHA256 + + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + + minTLSVersion: VersionTLS11 + + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + + and looks like this (yaml): + + + ciphers: + + + - TLS_AES_128_GCM_SHA256 + + + - TLS_AES_256_GCM_SHA384 + + + - TLS_CHACHA20_POLY1305_SHA256 + + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + + - ECDHE-RSA-AES128-GCM-SHA256 + + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + + - ECDHE-RSA-AES256-GCM-SHA384 + + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-CHACHA20-POLY1305 + + + - DHE-RSA-AES128-GCM-SHA256 + + + - DHE-RSA-AES256-GCM-SHA384 + + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + + and looks like this (yaml): + + + ciphers: + + + - TLS_AES_128_GCM_SHA256 + + + - TLS_AES_256_GCM_SHA384 + + + - TLS_CHACHA20_POLY1305_SHA256 + + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + + and looks like this (yaml): + + + ciphers: + + + - TLS_AES_128_GCM_SHA256 + + + - TLS_AES_256_GCM_SHA384 + + + - TLS_CHACHA20_POLY1305_SHA256 + + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + + - ECDHE-RSA-AES128-GCM-SHA256 + + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + + - ECDHE-RSA-AES256-GCM-SHA384 + + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-CHACHA20-POLY1305 + + + - DHE-RSA-AES128-GCM-SHA256 + + + - DHE-RSA-AES256-GCM-SHA384 + + + - DHE-RSA-CHACHA20-POLY1305 + + + - ECDHE-ECDSA-AES128-SHA256 + + + - ECDHE-RSA-AES128-SHA256 + + + - ECDHE-ECDSA-AES128-SHA + + + - ECDHE-RSA-AES128-SHA + + + - ECDHE-ECDSA-AES256-SHA384 + + + - ECDHE-RSA-AES256-SHA384 + + + - ECDHE-ECDSA-AES256-SHA + + + - ECDHE-RSA-AES256-SHA + + + - DHE-RSA-AES128-SHA256 + + + - DHE-RSA-AES256-SHA256 + + + - AES128-GCM-SHA256 + + + - AES256-GCM-SHA384 + + + - AES128-SHA256 + + + - AES256-SHA256 + + + - AES128-SHA + + + - AES256-SHA + + + - DES-CBC3-SHA + + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + authentication: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + oidcProviders: + description: |- + OIDCProviders are OIDC identity providers that can issue tokens + for this cluster + Can only be set if "Type" is set to "OIDC". + + + At most one provider can be configured. + items: + properties: + claimMappings: + description: |- + ClaimMappings describes rules on how to transform information from an + ID token into a cluster identity + properties: + groups: + description: |- + Groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. + properties: + claim: + description: Claim is a JWT token claim to be + used in the mapping + type: string + prefix: + description: |- + Prefix is a string to prefix the value from the token in the result of the + claim mapping. + + + By default, no prefixing occurs. + + + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + an array of strings "a", "b" and "c", the mapping will result in an + array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + username: + description: |- + Username is a name of the claim that should be used to construct + usernames for the cluster identity. + + + Default value: "sub" + properties: + claim: + description: Claim is a JWT token claim to be + used in the mapping + type: string + prefix: + properties: + prefixString: + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + PrefixPolicy specifies how a prefix should apply. + + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + + Set to "NoPrefix" to disable prefixing. + + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is + 'Prefix', but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy + == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + type: object + claimValidationRules: + description: ClaimValidationRules are rules that are + applied to validate token claims to authenticate users. + items: + properties: + requiredClaim: + description: |- + RequiredClaim allows configuring a required claim name and its expected + value + properties: + claim: + description: |- + Claim is a name of a required claim. Only claims with string values are + supported. + minLength: 1 + type: string + requiredValue: + description: RequiredValue is the required + value for the claim. + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + default: RequiredClaim + description: Type sets the type of the validation + rule + enum: + - RequiredClaim + type: string + type: object + type: array + x-kubernetes-list-type: atomic + issuer: + description: Issuer describes atributes of the OIDC + token issuer + properties: + audiences: + description: |- + Audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + issuerCertificateAuthority: + description: |- + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + issuerURL: + description: |- + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] + type: string + required: + - audiences + - issuerURL + type: object + name: + description: Name of the OIDC provider + minLength: 1 + type: string + oidcClients: + description: |- + OIDCClients contains configuration for the platform's clients that + need to request tokens from the issuer + items: + properties: + clientID: + description: ClientID is the identifier of the + OIDC client from the OIDC provider + minLength: 1 + type: string + clientSecret: + description: |- + ClientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field + properties: + name: + description: name is the metadata.name of + the referenced secret + type: string + required: + - name + type: object + componentName: + description: |- + ComponentName is the name of the component that is supposed to consume this + client configuration + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + ComponentNamespace is the namespace of the component that is supposed to consume this + client configuration + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: ExtraScopes is an optional set of + scopes to request tokens with. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + required: + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + + For further details, see: + + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting + it has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + configMapRefs: + description: |- + ConfigMapRefs holds references to any configmaps referenced by + configuration entries. Entries can reference the configmaps using local + object references. + + + Deprecated + This field is deprecated and will be removed in a future release + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + type: array + featureGate: + description: FeatureGate holds cluster-wide information about + feature gates. + properties: + customNoUpgrade: + description: |- + customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. + Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations + your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. + nullable: true + properties: + disabled: + description: disabled is a list of all feature gates that + you want to force off + items: + description: FeatureGateName is a string to enforce + patterns on the name of a FeatureGate + pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ + type: string + type: array + enabled: + description: enabled is a list of all feature gates that + you want to force on + items: + description: FeatureGateName is a string to enforce + patterns on the name of a FeatureGate + pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ + type: string + type: array + type: object + featureSet: + description: |- + featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. + Turning on or off features may cause irreversible changes in your cluster which cannot be undone. + type: string + x-kubernetes-validations: + - message: CustomNoUpgrade may not be changed + rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' + : true' + - message: TechPreviewNoUpgrade may not be changed + rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' + : true' + - message: DevPreviewNoUpgrade may not be changed + rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' + : true' + type: object + image: + description: |- + Image governs policies related to imagestream imports and runtime configuration + for external registries. It allows cluster admins to configure which registries + OpenShift is allowed to import images from, extra CA trust bundles for external + registries, and policies to block or allow registry hostnames. + When exposing OpenShift's image registry to the public, this also lets cluster + admins specify the external hostname. + properties: + additionalTrustedCA: + description: |- + additionalTrustedCA is a reference to a ConfigMap containing additional CAs that + should be trusted during imagestream import, pod image pull, build image pull, and + imageregistry pullthrough. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + allowedRegistriesForImport: + description: |- + allowedRegistriesForImport limits the container image registries that normal users may import + images from. Set this list to the registries that you trust to contain valid Docker + images and that you want applications to be able to import from. Users with + permission to create Images or ImageStreamMappings via the API are not affected by + this policy - typically only administrators or system integrations will have those + permissions. + items: + description: |- + RegistryLocation contains a location of the registry specified by the registry domain + name. The domain name might include wildcards, like '*' or '??'. + properties: + domainName: + description: |- + domainName specifies a domain name for the registry + In case the registry use non-standard (80 or 443) port, the port should be included + in the domain name as well. + type: string + insecure: + description: |- + insecure indicates whether the registry is secure (https) or insecure (http) + By default (if not specified) the registry is assumed as secure. + type: boolean + type: object + type: array + externalRegistryHostnames: + description: |- + externalRegistryHostnames provides the hostnames for the default external image + registry. The external hostname should be set only when the image registry + is exposed externally. The first value is used in 'publicDockerImageRepository' + field in ImageStreams. The value must be in "hostname[:port]" format. + items: + type: string + type: array + registrySources: + description: |- + registrySources contains configuration that determines how the container runtime + should treat individual registries when accessing images for builds+pods. (e.g. + whether or not to allow insecure access). It does not contain configuration for the + internal cluster registry. + properties: + allowedRegistries: + description: |- + allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. + + + Only one of BlockedRegistries or AllowedRegistries may be set. + items: + type: string + type: array + blockedRegistries: + description: |- + blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. + + + Only one of BlockedRegistries or AllowedRegistries may be set. + items: + type: string + type: array + containerRuntimeSearchRegistries: + description: |- + containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified + domains in their pull specs. Registries will be searched in the order provided in the list. + Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. + format: hostname + items: + type: string + minItems: 1 + type: array + x-kubernetes-list-type: set + insecureRegistries: + description: insecureRegistries are registries which do + not have a valid TLS certificates or only support HTTP + connections. + items: + type: string + type: array + type: object + type: object + ingress: + description: |- + Ingress holds cluster-wide information about ingress, including the default ingress domain + used for routes. + properties: + appsDomain: + description: |- + appsDomain is an optional domain to use instead of the one specified + in the domain field when a Route is created without specifying an explicit + host. If appsDomain is nonempty, this value is used to generate default + host values for Route. Unlike domain, appsDomain may be modified after + installation. + This assumes a new ingresscontroller has been setup with a wildcard + certificate. + type: string + componentRoutes: + description: |- + componentRoutes is an optional list of routes that are managed by OpenShift components + that a cluster-admin is able to configure the hostname and serving certificate for. + The namespace and name of each route in this list should match an existing entry in the + status.componentRoutes list. + + + To determine the set of configurable Routes, look at namespace and name of entries in the + .status.componentRoutes list, where participating operators write the status of + configurable routes. + items: + description: ComponentRouteSpec allows for configuration + of a route's hostname and serving certificate. + properties: + hostname: + description: hostname is the hostname that should be + used by the route. + pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ + type: string + name: + description: |- + name is the logical name of the route to customize. + + + The namespace and name of this componentRoute must match a corresponding + entry in the list of status.componentRoutes if the route is to be customized. + maxLength: 256 + minLength: 1 + type: string + namespace: + description: |- + namespace is the namespace of the route to customize. + + + The namespace and name of this componentRoute must match a corresponding + entry in the list of status.componentRoutes if the route is to be customized. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + servingCertKeyPairSecret: + description: |- + servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. + The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. + If the custom hostname uses the default routing suffix of the cluster, + the Secret specification for a serving certificate will not be needed. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + required: + - hostname + - name + - namespace + type: object + type: array + x-kubernetes-list-map-keys: + - namespace + - name + x-kubernetes-list-type: map + domain: + description: |- + domain is used to generate a default host name for a route when the + route's host name is empty. The generated host name will follow this + pattern: "..". + + + It is also used as the default wildcard domain suffix for ingress. The + default ingresscontroller domain will follow this pattern: "*.". + + + Once set, changing domain is not currently supported. + type: string + loadBalancer: + description: |- + loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure + provider of the current cluster and are required for Ingress Controller to work on OpenShift. + properties: + platform: + description: |- + platform holds configuration specific to the underlying + infrastructure provider for the ingress load balancers. + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + properties: + aws: + description: aws contains settings specific to the + Amazon Web Services infrastructure provider. + properties: + type: + description: |- + type allows user to set a load balancer type. + When this field is set the default ingresscontroller will get created using the specified LBType. + If this field is not set then the default ingress controller of LBType Classic will be created. + Valid values are: + + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - NLB + - Classic + type: string + required: + - type + type: object + type: + description: |- + type is the underlying infrastructure provider for the cluster. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", + "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", + "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, + and must handle unrecognized platforms as None if they do not support that platform. + enum: + - "" + - AWS + - Azure + - BareMetal + - GCP + - Libvirt + - OpenStack + - None + - VSphere + - oVirt + - IBMCloud + - KubeVirt + - EquinixMetal + - PowerVS + - AlibabaCloud + - Nutanix + - External + type: string + type: object + type: object + requiredHSTSPolicies: + description: |- + requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes + matching the domainPattern/s and namespaceSelector/s that are specified in the policy. + Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route + annotation, and affect route admission. + + + A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: + "haproxy.router.openshift.io/hsts_header" + E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains + + + - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, + then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route + is rejected. + - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies + determines the route's admission status. + - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, + then it may use any HSTS Policy annotation. + + + The HSTS policy configuration may be changed after routes have already been created. An update to a previously + admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. + However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. + + + Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. + items: + properties: + domainPatterns: + description: |- + domainPatterns is a list of domains for which the desired HSTS annotations are required. + If domainPatterns is specified and a route is created with a spec.host matching one of the domains, + the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. + + + The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. + foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. + items: + type: string + minItems: 1 + type: array + includeSubDomainsPolicy: + description: |- + includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's + domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: + - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com + - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com + - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com + - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com + enum: + - RequireIncludeSubDomains + - RequireNoIncludeSubDomains + - NoOpinion + type: string + maxAge: + description: |- + maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. + If set to 0, it negates the effect, and hosts are removed as HSTS hosts. + If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. + maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS + policy will eventually expire on that client. + properties: + largestMaxAge: + description: |- + The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age + This value can be left unspecified, in which case no upper limit is enforced. + format: int32 + maximum: 2147483647 + minimum: 0 + type: integer + smallestMaxAge: + description: |- + The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age + Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary + tool for administrators to quickly correct mistakes. + This value can be left unspecified, in which case no lower limit is enforced. + format: int32 + maximum: 2147483647 + minimum: 0 + type: integer + type: object + namespaceSelector: + description: |- + namespaceSelector specifies a label selector such that the policy applies only to those routes that + are in namespaces with labels that match the selector, and are in one of the DomainPatterns. + Defaults to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + preloadPolicy: + description: |- + preloadPolicy directs the client to include hosts in its host preload list so that + it never needs to do an initial load to get the HSTS header (note that this is not defined + in RFC 6797 and is therefore client implementation-dependent). + enum: + - RequirePreload + - RequireNoPreload + - NoOpinion + type: string + required: + - domainPatterns + type: object + type: array + type: object + items: + description: |- + Items embeds the serialized configuration resources. + + + Deprecated + This field is deprecated and will be removed in a future release + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + x-kubernetes-preserve-unknown-fields: true + network: + description: |- + Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. + Please view network.spec for an explanation on what applies when configuring this resource. + TODO (csrwng): Add validation here to exclude changes that conflict with networking settings in the HostedCluster.Spec.Networking field. + properties: + clusterNetwork: + description: |- + IP address pool to use for pod IPs. + This field is immutable after installation. + items: + description: |- + ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs + are allocated. + properties: + cidr: + description: The complete block for pod IPs. + type: string + hostPrefix: + description: |- + The size (prefix) of block to allocate to each node. If this + field is not used by the plugin, it can be left unset. + format: int32 + minimum: 0 + type: integer + type: object + type: array + x-kubernetes-list-type: atomic + externalIP: + description: |- + externalIP defines configuration for controllers that + affect Service.ExternalIP. If nil, then ExternalIP is + not allowed to be set. + properties: + autoAssignCIDRs: + description: |- + autoAssignCIDRs is a list of CIDRs from which to automatically assign + Service.ExternalIP. These are assigned when the service is of type + LoadBalancer. In general, this is only useful for bare-metal clusters. + In Openshift 3.x, this was misleadingly called "IngressIPs". + Automatically assigned External IPs are not affected by any + ExternalIPPolicy rules. + Currently, only one entry may be provided. + items: + type: string + type: array + x-kubernetes-list-type: atomic + policy: + description: |- + policy is a set of restrictions applied to the ExternalIP field. + If nil or empty, then ExternalIP is not allowed to be set. + properties: + allowedCIDRs: + description: allowedCIDRs is the list of allowed CIDRs. + items: + type: string + type: array + x-kubernetes-list-type: atomic + rejectedCIDRs: + description: |- + rejectedCIDRs is the list of disallowed CIDRs. These take precedence + over allowedCIDRs. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + type: object + networkDiagnostics: + description: |- + networkDiagnostics defines network diagnostics configuration. + + + Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io. + If networkDiagnostics is not specified or is empty, + and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, + the network diagnostics feature will be disabled. + properties: + mode: + description: |- + mode controls the network diagnostics mode + + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default is All. + enum: + - "" + - All + - Disabled + type: string + sourcePlacement: + description: |- + sourcePlacement controls the scheduling of network diagnostics source deployment + + + See NetworkDiagnosticsSourcePlacement for more details about default values. + properties: + nodeSelector: + additionalProperties: + type: string + description: |- + nodeSelector is the node selector applied to network diagnostics components + + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default is `kubernetes.io/os: linux`. + type: object + tolerations: + description: |- + tolerations is a list of tolerations applied to network diagnostics components + + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default is an empty list. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + targetPlacement: + description: |- + targetPlacement controls the scheduling of network diagnostics target daemonset + + + See NetworkDiagnosticsTargetPlacement for more details about default values. + properties: + nodeSelector: + additionalProperties: + type: string + description: |- + nodeSelector is the node selector applied to network diagnostics components + + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default is `kubernetes.io/os: linux`. + type: object + tolerations: + description: |- + tolerations is a list of tolerations applied to network diagnostics components + + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default is `- operator: "Exists"` which means that all taints are tolerated. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + networkType: + description: |- + NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). + This should match a value that the cluster-network-operator understands, + or else no networking will be installed. + Currently supported values are: + - OpenShiftSDN + This field is immutable after installation. + type: string + serviceNetwork: + description: |- + IP address pool for services. + Currently, we only support a single entry here. + This field is immutable after installation. + items: + type: string + type: array + x-kubernetes-list-type: atomic + serviceNodePortRange: + description: |- + The port range allowed for Services of type NodePort. + If not specified, the default of 30000-32767 will be used. + Such Services without a NodePort specified will have one + automatically allocated from this range. + This parameter can be updated after the cluster is + installed. + pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ + type: string + type: object + oauth: + description: |- + OAuth holds cluster-wide information about OAuth. + It is used to configure the integrated OAuth server. + This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. + properties: + identityProviders: + description: |- + identityProviders is an ordered list of ways for a user to identify themselves. + When this list is empty, no identities are provisioned for users. + items: + description: IdentityProvider provides identities for users + authenticating using credentials + properties: + basicAuth: + description: basicAuth contains configuration options + for the BasicAuth IdP + properties: + ca: + description: |- + ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + The key "ca.crt" is used to locate the data. + If specified and the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + If empty, the default system roots are used. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + tlsClientCert: + description: |- + tlsClientCert is an optional reference to a secret by name that contains the + PEM-encoded TLS client certificate to present when connecting to the server. + The key "tls.crt" is used to locate the data. + If specified and the secret or expected key is not found, the identity provider is not honored. + If the specified certificate data is not valid, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + tlsClientKey: + description: |- + tlsClientKey is an optional reference to a secret by name that contains the + PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. + The key "tls.key" is used to locate the data. + If specified and the secret or expected key is not found, the identity provider is not honored. + If the specified certificate data is not valid, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + url: + description: url is the remote URL to connect to + type: string + type: object + github: + description: github enables user authentication using + GitHub credentials + properties: + ca: + description: |- + ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + The key "ca.crt" is used to locate the data. + If specified and the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + If empty, the default system roots are used. + This can only be configured when hostname is set to a non-empty value. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + clientID: + description: clientID is the oauth client ID + type: string + clientSecret: + description: |- + clientSecret is a required reference to the secret by name containing the oauth client secret. + The key "clientSecret" is used to locate the data. + If the secret or expected key is not found, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + hostname: + description: |- + hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of + GitHub Enterprise. + It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. + type: string + organizations: + description: organizations optionally restricts + which organizations are allowed to log in + items: + type: string + type: array + teams: + description: teams optionally restricts which teams + are allowed to log in. Format is /. + items: + type: string + type: array + type: object + gitlab: + description: gitlab enables user authentication using + GitLab credentials + properties: + ca: + description: |- + ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + The key "ca.crt" is used to locate the data. + If specified and the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + If empty, the default system roots are used. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + clientID: + description: clientID is the oauth client ID + type: string + clientSecret: + description: |- + clientSecret is a required reference to the secret by name containing the oauth client secret. + The key "clientSecret" is used to locate the data. + If the secret or expected key is not found, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + url: + description: url is the oauth server base URL + type: string + type: object + google: + description: google enables user authentication using + Google credentials + properties: + clientID: + description: clientID is the oauth client ID + type: string + clientSecret: + description: |- + clientSecret is a required reference to the secret by name containing the oauth client secret. + The key "clientSecret" is used to locate the data. + If the secret or expected key is not found, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + hostedDomain: + description: hostedDomain is the optional Google + App domain (e.g. "mycompany.com") to restrict + logins to + type: string + type: object + htpasswd: + description: htpasswd enables user authentication using + an HTPasswd file to validate credentials + properties: + fileData: + description: |- + fileData is a required reference to a secret by name containing the data to use as the htpasswd file. + The key "htpasswd" is used to locate the data. + If the secret or expected key is not found, the identity provider is not honored. + If the specified htpasswd data is not valid, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + type: object + keystone: + description: keystone enables user authentication using + keystone password credentials + properties: + ca: + description: |- + ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + The key "ca.crt" is used to locate the data. + If specified and the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + If empty, the default system roots are used. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + domainName: + description: domainName is required for keystone + v3 + type: string + tlsClientCert: + description: |- + tlsClientCert is an optional reference to a secret by name that contains the + PEM-encoded TLS client certificate to present when connecting to the server. + The key "tls.crt" is used to locate the data. + If specified and the secret or expected key is not found, the identity provider is not honored. + If the specified certificate data is not valid, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + tlsClientKey: + description: |- + tlsClientKey is an optional reference to a secret by name that contains the + PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. + The key "tls.key" is used to locate the data. + If specified and the secret or expected key is not found, the identity provider is not honored. + If the specified certificate data is not valid, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + url: + description: url is the remote URL to connect to + type: string + type: object + ldap: + description: ldap enables user authentication using + LDAP credentials + properties: + attributes: + description: attributes maps LDAP attributes to + identities + properties: + email: + description: |- + email is the list of attributes whose values should be used as the email address. Optional. + If unspecified, no email is set for the identity + items: + type: string + type: array + id: + description: |- + id is the list of attributes whose values should be used as the user ID. Required. + First non-empty attribute is used. At least one attribute is required. If none of the listed + attribute have a value, authentication fails. + LDAP standard identity attribute is "dn" + items: + type: string + type: array + name: + description: |- + name is the list of attributes whose values should be used as the display name. Optional. + If unspecified, no display name is set for the identity + LDAP standard display name attribute is "cn" + items: + type: string + type: array + preferredUsername: + description: |- + preferredUsername is the list of attributes whose values should be used as the preferred username. + LDAP standard login attribute is "uid" + items: + type: string + type: array + type: object + bindDN: + description: bindDN is an optional DN to bind with + during the search phase. + type: string + bindPassword: + description: |- + bindPassword is an optional reference to a secret by name + containing a password to bind with during the search phase. + The key "bindPassword" is used to locate the data. + If specified and the secret or expected key is not found, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + ca: + description: |- + ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + The key "ca.crt" is used to locate the data. + If specified and the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + If empty, the default system roots are used. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + insecure: + description: |- + insecure, if true, indicates the connection should not use TLS + WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always + attempt to connect using TLS, even when `insecure` is set to `true` + When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to + a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. + type: boolean + url: + description: |- + url is an RFC 2255 URL which specifies the LDAP search parameters to use. + The syntax of the URL is: + ldap://host:port/basedn?attribute?scope?filter + type: string + type: object + mappingMethod: + description: |- + mappingMethod determines how identities from this provider are mapped to users + Defaults to "claim" + type: string + name: + description: |- + name is used to qualify the identities returned by this provider. + - It MUST be unique and not shared by any other identity provider used + - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" + Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName + type: string + openID: + description: openID enables user authentication using + OpenID credentials + properties: + ca: + description: |- + ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + The key "ca.crt" is used to locate the data. + If specified and the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + If empty, the default system roots are used. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + claims: + description: claims mappings + properties: + email: + description: |- + email is the list of claims whose values should be used as the email address. Optional. + If unspecified, no email is set for the identity + items: + type: string + type: array + x-kubernetes-list-type: atomic + groups: + description: |- + groups is the list of claims value of which should be used to synchronize groups + from the OIDC provider to OpenShift for the user. + If multiple claims are specified, the first one with a non-empty value is used. + items: + description: |- + OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo + responses + minLength: 1 + type: string + type: array + x-kubernetes-list-type: atomic + name: + description: |- + name is the list of claims whose values should be used as the display name. Optional. + If unspecified, no display name is set for the identity + items: + type: string + type: array + x-kubernetes-list-type: atomic + preferredUsername: + description: |- + preferredUsername is the list of claims whose values should be used as the preferred username. + If unspecified, the preferred username is determined from the value of the sub claim + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + clientID: + description: clientID is the oauth client ID + type: string + clientSecret: + description: |- + clientSecret is a required reference to the secret by name containing the oauth client secret. + The key "clientSecret" is used to locate the data. + If the secret or expected key is not found, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + extraAuthorizeParameters: + additionalProperties: + type: string + description: extraAuthorizeParameters are any custom + parameters to add to the authorize request. + type: object + extraScopes: + description: extraScopes are any scopes to request + in addition to the standard "openid" scope. + items: + type: string + type: array + issuer: + description: |- + issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. + It must use the https scheme with no query or fragment component. + type: string + type: object + requestHeader: + description: requestHeader enables user authentication + using request header credentials + properties: + ca: + description: |- + ca is a required reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + Specifically, it allows verification of incoming requests to prevent header spoofing. + The key "ca.crt" is used to locate the data. + If the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + challengeURL: + description: |- + challengeURL is a URL to redirect unauthenticated /authorize requests to + Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be + redirected here. + ${url} is replaced with the current URL, escaped to be safe in a query parameter + https://www.example.com/sso-login?then=${url} + ${query} is replaced with the current query string + https://www.example.com/auth-proxy/oauth/authorize?${query} + Required when challenge is set to true. + type: string + clientCommonNames: + description: |- + clientCommonNames is an optional list of common names to require a match from. If empty, any + client certificate validated against the clientCA bundle is considered authoritative. + items: + type: string + type: array + emailHeaders: + description: emailHeaders is the set of headers + to check for the email address + items: + type: string + type: array + headers: + description: headers is the set of headers to check + for identity information + items: + type: string + type: array + loginURL: + description: |- + loginURL is a URL to redirect unauthenticated /authorize requests to + Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here + ${url} is replaced with the current URL, escaped to be safe in a query parameter + https://www.example.com/sso-login?then=${url} + ${query} is replaced with the current query string + https://www.example.com/auth-proxy/oauth/authorize?${query} + Required when login is set to true. + type: string + nameHeaders: + description: nameHeaders is the set of headers to + check for the display name + items: + type: string + type: array + preferredUsernameHeaders: + description: preferredUsernameHeaders is the set + of headers to check for the preferred username + items: + type: string + type: array + type: object + type: + description: type identifies the identity provider type + for this entry. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + templates: + description: templates allow you to customize pages like the + login page. + properties: + error: + description: |- + error is the name of a secret that specifies a go template to use to render error pages + during the authentication or grant flow. + The key "errors.html" is used to locate the template data. + If specified and the secret or expected key is not found, the default error page is used. + If the specified template is not valid, the default error page is used. + If unspecified, the default error page is used. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + login: + description: |- + login is the name of a secret that specifies a go template to use to render the login page. + The key "login.html" is used to locate the template data. + If specified and the secret or expected key is not found, the default login page is used. + If the specified template is not valid, the default login page is used. + If unspecified, the default login page is used. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + providerSelection: + description: |- + providerSelection is the name of a secret that specifies a go template to use to render + the provider selection page. + The key "providers.html" is used to locate the template data. + If specified and the secret or expected key is not found, the default provider selection page is used. + If the specified template is not valid, the default provider selection page is used. + If unspecified, the default provider selection page is used. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + tokenConfig: + description: tokenConfig contains options for authorization + and access tokens + properties: + accessTokenInactivityTimeout: + description: |- + accessTokenInactivityTimeout defines the token inactivity timeout + for tokens granted by any client. + The value represents the maximum amount of time that can occur between + consecutive uses of the token. Tokens become invalid if they are not + used within this temporal window. The user will need to acquire a new + token to regain access once a token times out. Takes valid time + duration string such as "5m", "1.5h" or "2h45m". The minimum allowed + value for duration is 300s (5 minutes). If the timeout is configured + per client, then that value takes precedence. If the timeout value is + not specified and the client does not override the value, then tokens + are valid until their lifetime. + + + WARNING: existing tokens' timeout will not be affected (lowered) by changing this value + type: string + accessTokenInactivityTimeoutSeconds: + description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: + setting this field has no effect.' + format: int32 + type: integer + accessTokenMaxAgeSeconds: + description: accessTokenMaxAgeSeconds defines the maximum + age of access tokens + format: int32 + type: integer + type: object + type: object + operatorhub: + description: |- + OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. + The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. + properties: + disableAllDefaultSources: + description: |- + disableAllDefaultSources allows you to disable all the default hub + sources. If this is true, a specific entry in sources can be used to + enable a default source. If this is false, a specific entry in + sources can be used to disable or enable a default source. + type: boolean + sources: + description: |- + sources is the list of default hub sources and their configuration. + If the list is empty, it implies that the default hub sources are + enabled on the cluster unless disableAllDefaultSources is true. + If disableAllDefaultSources is true and sources is not empty, + the configuration present in sources will take precedence. The list of + default hub sources and their current state will always be reflected in + the status block. + items: + description: HubSource is used to specify the hub source + and its configuration + properties: + disabled: + description: disabled is used to disable a default hub + source on cluster + type: boolean + name: + description: name is the name of one of the default + hub sources + maxLength: 253 + minLength: 1 + type: string + type: object + type: array + type: object + proxy: + description: Proxy holds cluster-wide information on how to configure + default proxies for the cluster. + properties: + httpProxy: + description: httpProxy is the URL of the proxy for HTTP requests. Empty + means unset and will not result in an env var. + type: string + httpsProxy: + description: httpsProxy is the URL of the proxy for HTTPS + requests. Empty means unset and will not result in an env + var. + type: string + noProxy: + description: |- + noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. + Empty means unset and will not result in an env var. + type: string + readinessEndpoints: + description: readinessEndpoints is a list of endpoints used + to verify readiness of the proxy. + items: + type: string + type: array + trustedCA: + description: |- + trustedCA is a reference to a ConfigMap containing a CA certificate bundle. + The trustedCA field should only be consumed by a proxy validator. The + validator is responsible for reading the certificate bundle from the required + key "ca-bundle.crt", merging it with the system default trust bundle, + and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" + in the "openshift-config-managed" namespace. Clients that expect to make + proxy connections must use the trusted-ca-bundle for all HTTPS requests to + the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as + well. + + + The namespace for the ConfigMap referenced by trustedCA is + "openshift-config". Here is an example ConfigMap (in yaml): + + + apiVersion: v1 + kind: ConfigMap + metadata: + name: user-ca-bundle + namespace: openshift-config + data: + ca-bundle.crt: | + -----BEGIN CERTIFICATE----- + Custom CA certificate bundle. + -----END CERTIFICATE----- + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + type: object + scheduler: + description: |- + Scheduler holds cluster-wide config information to run the Kubernetes Scheduler + and influence its placement decisions. The canonical name for this config is `cluster`. + properties: + defaultNodeSelector: + description: |- + defaultNodeSelector helps set the cluster-wide default node selector to + restrict pod placement to specific nodes. This is applied to the pods + created in all namespaces and creates an intersection with any existing + nodeSelectors already set on a pod, additionally constraining that pod's selector. + For example, + defaultNodeSelector: "type=user-node,region=east" would set nodeSelector + field in pod spec to "type=user-node,region=east" to all pods created + in all namespaces. Namespaces having project-wide node selectors won't be + impacted even if this field is set. This adds an annotation section to + the namespace. + For example, if a new namespace is created with + node-selector='type=user-node,region=east', + the annotation openshift.io/node-selector: type=user-node,region=east + gets added to the project. When the openshift.io/node-selector annotation + is set on the project the value is used in preference to the value we are setting + for defaultNodeSelector field. + For instance, + openshift.io/node-selector: "type=user-node,region=west" means + that the default of "type=user-node,region=east" set in defaultNodeSelector + would not be applied. + type: string + mastersSchedulable: + description: |- + MastersSchedulable allows masters nodes to be schedulable. When this flag is + turned on, all the master nodes in the cluster will be made schedulable, + so that workload pods can run on them. The default value for this field is false, + meaning none of the master nodes are schedulable. + Important Note: Once the workload pods start running on the master nodes, + extreme care must be taken to ensure that cluster-critical control plane components + are not impacted. + Please turn on this field after doing due diligence. + type: boolean + policy: + description: |- + DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. + policy is a reference to a ConfigMap containing scheduler policy which has + user specified predicates and priorities. If this ConfigMap is not available + scheduler will default to use DefaultAlgorithmProvider. + The namespace for this configmap is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + profile: + description: |- + profile sets which scheduling profile should be set in order to configure scheduling + decisions for new pods. + + + Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" + Defaults to "LowNodeUtilization" + enum: + - "" + - LowNodeUtilization + - HighNodeUtilization + - NoScoring + type: string + profileCustomizations: + description: profileCustomizations contains configuration + for modifying the default behavior of existing scheduler + profiles. + properties: + dynamicResourceAllocation: + description: |- + dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. + Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. + Third-party resource drivers are responsible for tracking and allocating resources. + Different kinds of resources support arbitrary parameters for defining requirements and initialization. + Valid values are Enabled, Disabled and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, + which is subject to change over time. + The current default is Disabled. + enum: + - "" + - Enabled + - Disabled + type: string + type: object + type: object + secretRefs: + description: |- + SecretRefs holds references to any secrets referenced by configuration + entries. Entries can reference the secrets using local object references. + + + Deprecated + This field is deprecated and will be removed in a future release + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + type: array + type: object + controlPlaneRelease: + description: |- + ControlPlaneRelease specifies the desired OCP release payload for + control plane components running on the management cluster. + Updating this field will trigger a rollout of the control plane. The + behavior of the rollout will be driven by the ControllerAvailabilityPolicy + and InfrastructureAvailabilityPolicy. + If not defined, Release is used + properties: + image: + description: Image is the image pullspec of an OCP release payload + image. + pattern: ^(\w+\S+)$ + type: string + required: + - image + type: object + controllerAvailabilityPolicy: + default: HighlyAvailable + description: |- + ControllerAvailabilityPolicy specifies the availability policy applied to + critical control plane components. The default value is HighlyAvailable. + type: string + dns: + description: DNS specifies DNS configuration for the cluster. + properties: + baseDomain: + description: BaseDomain is the base domain of the cluster. + type: string + baseDomainPrefix: + description: |- + BaseDomainPrefix is the base domain prefix of the cluster. + defaults to clusterName if not set + type: string + privateZoneID: + description: |- + PrivateZoneID is the Hosted Zone ID where all the DNS records that are only + available internally to the cluster exist. + type: string + publicZoneID: + description: |- + PublicZoneID is the Hosted Zone ID where all the DNS records that are + publicly accessible to the internet exist. + type: string + required: + - baseDomain + type: object + etcd: + default: + managed: + storage: + persistentVolume: + size: 4Gi + type: PersistentVolume + managementType: Managed + description: |- + Etcd specifies configuration for the control plane etcd cluster. The + default ManagementType is Managed. Once set, the ManagementType cannot be + changed. + properties: + managed: + description: Managed specifies the behavior of an etcd cluster + managed by HyperShift. + properties: + storage: + description: Storage specifies how etcd data is persisted. + properties: + persistentVolume: + description: |- + PersistentVolume is the configuration for PersistentVolume etcd storage. + With this implementation, a PersistentVolume will be allocated for every + etcd member (either 1 or 3 depending on the HostedCluster control plane + availability configuration). + properties: + size: + anyOf: + - type: integer + - type: string + default: 8Gi + description: Size is the minimum size of the data + volume for each etcd member. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: Etcd PV storage size is immutable + rule: self == oldSelf + storageClassName: + description: |- + StorageClassName is the StorageClass of the data volume for each etcd member. + + + See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. + type: string + type: object + restoreSnapshotURL: + description: |- + RestoreSnapshotURL allows an optional URL to be provided where + an etcd snapshot can be downloaded, for example a pre-signed URL + referencing a storage service. + This snapshot will be restored on initial startup, only when the etcd PV + is empty. + items: + type: string + type: array + x-kubernetes-validations: + - message: RestoreSnapshotURL shouldn't contain more than + 1 entry + rule: self.size() <= 1 + type: + description: Type is the kind of persistent storage implementation + to use for etcd. + enum: + - PersistentVolume + type: string + required: + - type + type: object + required: + - storage + type: object + managementType: + description: ManagementType defines how the etcd cluster is managed. + enum: + - Managed + - Unmanaged + type: string + unmanaged: + description: |- + Unmanaged specifies configuration which enables the control plane to + integrate with an eternally managed etcd cluster. + properties: + endpoint: + description: |- + Endpoint is the full etcd cluster client endpoint URL. For example: + + + https://etcd-client:2379 + + + If the URL uses an HTTPS scheme, the TLS field is required. + pattern: ^https:// + type: string + tls: + description: TLS specifies TLS configuration for HTTPS etcd + client endpoints. + properties: + clientSecret: + description: |- + ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It + may have the following key/value pairs: + + + etcd-client-ca.crt: Certificate Authority value + etcd-client.crt: Client certificate value + etcd-client.key: Client certificate key value + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + required: + - clientSecret + type: object + required: + - endpoint + - tls + type: object + required: + - managementType + type: object + fips: + description: |- + FIPS indicates whether this cluster's nodes will be running in FIPS mode. + If set to true, the control plane's ignition server will be configured to + expect that nodes joining the cluster will be FIPS-enabled. + type: boolean + imageContentSources: + description: |- + ImageContentSources specifies image mirrors that can be used by cluster + nodes to pull content. + items: + description: |- + ImageContentSource specifies image mirrors that can be used by cluster nodes + to pull content. For cluster workloads, if a container image registry host of + the pullspec matches Source then one of the Mirrors are substituted as hosts + in the pullspec and tried in order to fetch the image. + properties: + mirrors: + description: Mirrors are one or more repositories that may also + contain the same images. + items: + type: string + type: array + source: + description: |- + Source is the repository that users refer to, e.g. in image pull + specifications. + type: string + required: + - source + type: object + type: array + infraID: + description: |- + InfraID is a globally unique identifier for the cluster. This identifier + will be used to associate various cloud resources with the HostedCluster + and its associated NodePools. + type: string + infrastructureAvailabilityPolicy: + default: SingleReplica + description: |- + InfrastructureAvailabilityPolicy specifies the availability policy applied + to infrastructure services which run on cluster nodes. The default value is + SingleReplica. + type: string + issuerURL: + default: https://kubernetes.default.svc + description: |- + IssuerURL is an OIDC issuer URL which is used as the issuer in all + ServiceAccount tokens generated by the control plane API server. The + default value is kubernetes.default.svc, which only works for in-cluster + validation. + format: uri + type: string + networking: + default: + clusterNetwork: + - cidr: 10.132.0.0/14 + networkType: OVNKubernetes + serviceNetwork: + - cidr: 172.31.0.0/16 + description: Networking specifies network configuration for the cluster. + properties: + apiServer: + description: |- + APIServer contains advanced network settings for the API server that affect + how the APIServer is exposed inside a cluster node. + properties: + advertiseAddress: + description: |- + AdvertiseAddress is the address that nodes will use to talk to the API + server. This is an address associated with the loopback adapter of each + node. If not specified, 172.20.0.1 is used. + type: string + allowedCIDRBlocks: + description: |- + AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer + If not specified, traffic is allowed from all addresses. + This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges + items: + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ + type: string + type: array + port: + description: |- + Port is the port at which the APIServer is exposed inside a node. Other + pods using host networking cannot listen on this port. If not specified, + 6443 is used. + format: int32 + type: integer + type: object + clusterNetwork: + default: + - cidr: 10.132.0.0/14 + description: |- + ClusterNetwork is the list of IP address pools for pods. + TODO: make this required in the next version of the API + items: + description: |- + ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks + are allocated with size 2^HostSubnetLength. + properties: + cidr: + description: CIDR is the IP block address pool. + type: string + hostPrefix: + description: |- + HostPrefix is the prefix size to allocate to each node from the CIDR. + For example, 24 would allocate 2^8=256 adresses to each node. If this + field is not used by the plugin, it can be left unset. + format: int32 + type: integer + required: + - cidr + type: object + type: array + machineCIDR: + description: |- + Deprecated + This field will be removed in the next API release. + Use MachineNetwork instead + format: cidr + type: string + machineNetwork: + description: |- + MachineNetwork is the list of IP address pools for machines. + TODO: make this required in the next version of the API + items: + description: MachineNetworkEntry is a single IP address block + for node IP blocks. + properties: + cidr: + description: CIDR is the IP block address pool for machines + within the cluster. + type: string + required: + - cidr + type: object + type: array + networkType: + default: OVNKubernetes + description: NetworkType specifies the SDN provider used for cluster + networking. + enum: + - OpenShiftSDN + - Calico + - OVNKubernetes + - Other + type: string + podCIDR: + description: |- + Deprecated + This field will be removed in the next API release. + Use ClusterNetwork instead + format: cidr + type: string + serviceCIDR: + description: |- + Deprecated + This field will be removed in the next API release. + Use ServiceNetwork instead + format: cidr + type: string + serviceNetwork: + default: + - cidr: 172.31.0.0/16 + description: |- + ServiceNetwork is the list of IP address pools for services. + NOTE: currently only one entry is supported. + TODO: make this required in the next version of the API + items: + description: ServiceNetworkEntry is a single IP address block + for the service network. + properties: + cidr: + description: CIDR is the IP block address pool for services + within the cluster. + type: string + required: + - cidr + type: object + type: array + required: + - networkType + type: object + nodeSelector: + additionalProperties: + type: string + description: NodeSelector when specified, must be true for the pods + managed by the HostedCluster to be scheduled. + type: object + olmCatalogPlacement: + default: management + description: |- + OLMCatalogPlacement specifies the placement of OLM catalog components. By default, + this is set to management and OLM catalog components are deployed onto the management + cluster. If set to guest, the OLM catalog components will be deployed onto the guest + cluster. + enum: + - management + - guest + type: string + pausedUntil: + description: |- + PausedUntil is a field that can be used to pause reconciliation on a resource. + Either a date can be provided in RFC3339 format or a boolean. If a date is + provided: reconciliation is paused on the resource until that date. If the boolean true is + provided: reconciliation is paused on the resource until the field is removed. + type: string + platform: + description: |- + Platform specifies the underlying infrastructure provider for the cluster + and is used to configure platform specific behavior. + properties: + agent: + description: Agent specifies configuration for agent-based installations. + properties: + agentNamespace: + description: AgentNamespace is the namespace where to search + for Agents for this cluster + type: string + required: + - agentNamespace + type: object + aws: + description: AWS specifies configuration for clusters running + on Amazon Web Services. + properties: + additionalAllowedPrincipals: + description: |- + AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs + to be added to the hosted control plane's VPC Endpoint Service to enable additional + VPC Endpoint connection requests to be automatically accepted. + See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html + for more details around VPC Endpoint Service allowed principals. + items: + type: string + type: array + cloudProviderConfig: + description: |- + CloudProviderConfig specifies AWS networking configuration for the control + plane. + This is mainly used for cloud provider controller config: + https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 + TODO(dan): should this be named AWSNetworkConfig? + properties: + subnet: + description: Subnet is the subnet to use for control plane + cloud resources. + properties: + filters: + description: |- + Filters is a set of key/value pairs used to identify a resource + They are applied according to the rules defined by the AWS API: + https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html + items: + description: Filter is a filter used to identify + an AWS resource + properties: + name: + description: Name of the filter. Filter names + are case-sensitive. + type: string + values: + description: Values includes one or more filter + values. Filter values are case-sensitive. + items: + type: string + type: array + required: + - name + - values + type: object + type: array + id: + description: ID of resource + type: string + type: object + vpc: + description: VPC is the VPC to use for control plane cloud + resources. + type: string + zone: + description: |- + Zone is the availability zone where control plane cloud resources are + created. + type: string + required: + - vpc + type: object + controlPlaneOperatorCreds: + description: |- + Deprecated + This field will be removed in the next API release. + Use RolesRef instead. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + endpointAccess: + default: Public + description: |- + EndpointAccess specifies the publishing scope of cluster endpoints. The + default is Public. + enum: + - Public + - PublicAndPrivate + - Private + type: string + kubeCloudControllerCreds: + description: |- + Deprecated + This field will be removed in the next API release. + Use RolesRef instead. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + multiArch: + default: false + description: |- + MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different + CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. + type: boolean + nodePoolManagementCreds: + description: |- + Deprecated + This field will be removed in the next API release. + Use RolesRef instead. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + region: + description: |- + Region is the AWS region in which the cluster resides. This configures the + OCP control plane cloud integrations, and is used by NodePool to resolve + the correct boot AMI for a given release. + type: string + resourceTags: + description: |- + ResourceTags is a list of additional tags to apply to AWS resources created + for the cluster. See + https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for + information on tagging AWS resources. AWS supports a maximum of 50 tags per + resource. OpenShift reserves 25 tags for its use, leaving 25 tags available + for the user. + items: + description: AWSResourceTag is a tag to apply to AWS resources + created for the cluster. + properties: + key: + description: Key is the key of the tag. + maxLength: 128 + minLength: 1 + pattern: ^[0-9A-Za-z_.:/=+-@]+$ + type: string + value: + description: |- + Value is the value of the tag. + + + Some AWS service do not support empty values. Since tags are added to + resources in many services, the length of the tag value must meet the + requirements of all services. + maxLength: 256 + minLength: 1 + pattern: ^[0-9A-Za-z_.:/=+-@]+$ + type: string + required: + - key + - value + type: object + maxItems: 25 + type: array + x-kubernetes-list-map-keys: + - key + x-kubernetes-list-type: map + roles: + description: |- + Deprecated + This field will be removed in the next API release. + Use RolesRef instead. + items: + properties: + arn: + type: string + name: + type: string + namespace: + type: string + required: + - arn + - name + - namespace + type: object + type: array + rolesRef: + description: |- + RolesRef contains references to various AWS IAM roles required to enable + integrations such as OIDC. + properties: + controlPlaneOperatorARN: + description: "ControlPlaneOperatorARN is an ARN value + referencing a role appropriate for the Control Plane + Operator.\n\n\nThe following is an example of a valid + policy document:\n\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": + [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": + [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": + [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": + \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" + type: string + imageRegistryARN: + description: "ImageRegistryARN is an ARN value referencing + a role appropriate for the Image Registry Operator.\n\n\nThe + following is an example of a valid policy document:\n\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t}\n\t]\n}" + type: string + ingressARN: + description: "The referenced role must have a trust relationship + that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": + \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": + \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": + \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": + {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName + }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\n\nIngressARN + is an ARN value referencing a role appropriate for the + Ingress Operator.\n\n\nThe following is an example of + a valid policy document:\n\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": + [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": + [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": + [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": + [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" + type: string + kubeCloudControllerARN: + description: |- + KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. + + + The following is an example of a valid policy document: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeImages", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress", + "ec2:DescribeVpcs", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancerPolicies", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:CreateServiceLinkedRole", + "kms:DescribeKey" + ], + "Resource": [ + "*" + ], + "Effect": "Allow" + } + ] + } + type: string + networkARN: + description: "NetworkARN is an ARN value referencing a + role appropriate for the Network Operator.\n\n\nThe + following is an example of a valid policy document:\n\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n + \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n + \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n + \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n + \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t}\n\t]\n}" + type: string + nodePoolManagementARN: + description: "NodePoolManagementARN is an ARN value referencing + a role appropriate for the CAPI Controller.\n\n\nThe + following is an example of a valid policy document:\n\n\n{\n + \ \"Version\": \"2012-10-17\",\n \"Statement\": [\n + \ {\n \"Action\": [\n \"ec2:AllocateAddress\",\n + \ \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n + \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n + \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n + \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n + \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n + \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n + \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n + \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n + \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n + \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n + \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n + \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n + \ \"ec2:DescribeNetworkInterfaceAttribute\",\n + \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n + \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n + \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n + \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n + \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n + \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n + \ \"ec2:ReleaseAddress\",\n \"ec2:RevokeSecurityGroupIngress\",\n + \ \"ec2:RunInstances\",\n \"ec2:TerminateInstances\",\n + \ \"tag:GetResources\",\n \"ec2:CreateLaunchTemplate\",\n + \ \"ec2:CreateLaunchTemplateVersion\",\n \"ec2:DescribeLaunchTemplates\",\n + \ \"ec2:DescribeLaunchTemplateVersions\",\n \"ec2:DeleteLaunchTemplate\",\n + \ \"ec2:DeleteLaunchTemplateVersions\"\n ],\n + \ \"Resource\": [\n \"*\"\n ],\n \"Effect\": + \"Allow\"\n },\n {\n \"Condition\": {\n \"StringLike\": + {\n \"iam:AWSServiceName\": \"elasticloadbalancing.amazonaws.com\"\n + \ }\n },\n \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n + \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n + \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": + [\n \"iam:PassRole\"\n ],\n \"Resource\": + [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n + \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": + \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t + \ \t\t\"kms:Encrypt\",\n\t \t\t\"kms:GenerateDataKey\",\n\t + \ \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t \t\t\"kms:DescribeKey\"\n\t + \ \t],\n\t \t\"Resource\": \"*\"\n\t },\n\t {\n\t + \ \t\"Effect\": \"Allow\",\n\t \t\"Action\": [\n\t + \ \t\t\"kms:RevokeGrant\",\n\t \t\t\"kms:CreateGrant\",\n\t + \ \t\t\"kms:ListGrants\"\n\t \t],\n\t \t\"Resource\": + \"*\",\n\t \t\"Condition\": {\n\t \t\t\"Bool\": {\n\t + \ \t\t\t\"kms:GrantIsForAWSResource\": true\n\t \t\t}\n\t + \ \t}\n\t }\n ]\n}" + type: string + storageARN: + description: "StorageARN is an ARN value referencing a + role appropriate for the Storage Operator.\n\n\nThe + following is an example of a valid policy document:\n\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t}\n\t]\n}" + type: string + required: + - controlPlaneOperatorARN + - imageRegistryARN + - ingressARN + - kubeCloudControllerARN + - networkARN + - nodePoolManagementARN + - storageARN + type: object + serviceEndpoints: + description: |- + ServiceEndpoints specifies optional custom endpoints which will override + the default service endpoint of specific AWS Services. + + + There must be only one ServiceEndpoint for a given service name. + items: + description: |- + AWSServiceEndpoint stores the configuration for services to + override existing defaults of AWS Services. + properties: + name: + description: |- + Name is the name of the AWS service. + This must be provided and cannot be empty. + type: string + url: + description: |- + URL is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. + pattern: ^https:// + type: string + required: + - name + - url + type: object + type: array + required: + - controlPlaneOperatorCreds + - kubeCloudControllerCreds + - nodePoolManagementCreds + - region + - rolesRef + type: object + azure: + description: Azure defines azure specific settings + properties: + cloud: + default: AzurePublicCloud + description: 'The cloud environment identifier, valid values + could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' + enum: + - AzurePublicCloud + - AzureUSGovernmentCloud + - AzureChinaCloud + - AzureGermanCloud + type: string + credentials: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + location: + type: string + resourceGroup: + type: string + securityGroupID: + type: string + subnetID: + type: string + subscriptionID: + type: string + vnetID: + type: string + required: + - credentials + - location + - resourceGroup + - securityGroupID + - subnetID + - subscriptionID + - vnetID + type: object + ibmcloud: + description: IBMCloud defines IBMCloud specific settings for components + properties: + providerType: + description: ProviderType is a specific supported infrastructure + provider within IBM Cloud. + type: string + type: object + kubevirt: + description: KubeVirt defines KubeVirt specific settings for cluster + components. + properties: + baseDomainPassthrough: + description: |- + BaseDomainPassthrough toggles whether or not an automatically + generated base domain for the guest cluster should be used that + is a subdomain of the management cluster's *.apps DNS. + + + For the KubeVirt platform, the basedomain can be autogenerated using + the *.apps domain of the management/infra hosting cluster + This makes the guest cluster's base domain a subdomain of the + hypershift infra/mgmt cluster's base domain. + + + Example: + Infra/Mgmt cluster's DNS + Base: example.com + Cluster: mgmt-cluster.example.com + Apps: *.apps.mgmt-cluster.example.com + KubeVirt Guest cluster's DNS + Base: apps.mgmt-cluster.example.com + Cluster: guest.apps.mgmt-cluster.example.com + Apps: *.apps.guest.apps.mgmt-cluster.example.com + + + This is possible using OCP wildcard routes + type: boolean + x-kubernetes-validations: + - message: baseDomainPassthrough is immutable + rule: self == oldSelf + credentials: + description: |- + Credentials defines the client credentials used when creating KubeVirt virtual machines. + Defining credentials is only necessary when the KubeVirt virtual machines are being placed + on a cluster separate from the one hosting the Hosted Control Plane components. + + + The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on + the same cluster and namespace as the Hosted Control Plane. + properties: + infraKubeConfigSecret: + description: |- + InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster + that will be used to host the KubeVirt virtual machines for this cluster. + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + x-kubernetes-validations: + - message: infraKubeConfigSecret is immutable + rule: self == oldSelf + infraNamespace: + description: |- + InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt + virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig + referenced in the InfraKubeConfigSecret must have access to manage the required resources within this + namespace. + type: string + x-kubernetes-validations: + - message: infraNamespace is immutable + rule: self == oldSelf + required: + - infraNamespace + type: object + generateID: + description: |- + GenerateID is used to uniquely apply a name suffix to resources associated with + kubevirt infrastructure resources + maxLength: 11 + type: string + x-kubernetes-validations: + - message: Kubevirt GenerateID is immutable once set + rule: self == oldSelf + storageDriver: + description: |- + StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on + the infra cluster (hosting the VMs) to the guest cluster. + properties: + manual: + description: |- + Manual is used to explicilty define how the infra storageclasses are + mapped to guest storageclasses + properties: + storageClassMapping: + description: |- + StorageClassMapping maps StorageClasses on the infra cluster hosting + the KubeVirt VMs to StorageClasses that are made available within the + Guest Cluster. + + + NOTE: It is possible that not all capablities of an infra cluster's + storageclass will be present for the corresponding guest clusters storageclass. + items: + properties: + group: + description: Group contains which group this + mapping belongs to. + type: string + guestStorageClassName: + description: |- + GuestStorageClassName is the name that the corresponding storageclass will + be called within the guest cluster + type: string + infraStorageClassName: + description: |- + InfraStorageClassName is the name of the infra cluster storage class that + will be exposed to the guest. + type: string + required: + - guestStorageClassName + - infraStorageClassName + type: object + type: array + x-kubernetes-validations: + - message: storageClassMapping is immutable + rule: self == oldSelf + volumeSnapshotClassMapping: + items: + properties: + group: + description: Group contains which group this + mapping belongs to. + type: string + guestVolumeSnapshotClassName: + description: |- + GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will + be called within the guest cluster + type: string + infraVolumeSnapshotClassName: + description: |- + InfraStorageClassName is the name of the infra cluster volume snapshot class that + will be exposed to the guest. + type: string + required: + - guestVolumeSnapshotClassName + - infraVolumeSnapshotClassName + type: object + type: array + x-kubernetes-validations: + - message: volumeSnapshotClassMapping is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: storageDriver.Manual is immutable + rule: self == oldSelf + type: + default: Default + description: Type represents the type of kubevirt csi + driver configuration to use + enum: + - None + - Default + - Manual + type: string + x-kubernetes-validations: + - message: storageDriver.Type is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: storageDriver is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: Kubevirt GenerateID is required once set + rule: '!has(oldSelf.generateID) || has(self.generateID)' + powervs: + description: |- + PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. + This field is immutable. Once set, It can't be changed. + properties: + accountID: + description: |- + AccountID is the IBMCloud account id. + This field is immutable. Once set, It can't be changed. + type: string + cisInstanceCRN: + description: |- + CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name + This field is immutable. Once set, It can't be changed. + pattern: '^crn:' + type: string + imageRegistryOperatorCloudCreds: + description: |- + ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud + credentials for image registry operator to get authenticated with ibm cloud. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + ingressOperatorCloudCreds: + description: |- + IngressOperatorCloudCreds is a reference to a secret containing ibm cloud + credentials for ingress operator to get authenticated with ibm cloud. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + kubeCloudControllerCreds: + description: |- + KubeCloudControllerCreds is a reference to a secret containing cloud + credentials with permissions matching the cloud controller policy. + This field is immutable. Once set, It can't be changed. + + + TODO(dan): document the "cloud controller policy" + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + nodePoolManagementCreds: + description: |- + NodePoolManagementCreds is a reference to a secret containing cloud + credentials with permissions matching the node pool management policy. + This field is immutable. Once set, It can't be changed. + + + TODO(dan): document the "node pool management policy" + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + region: + description: |- + Region is the IBMCloud region in which the cluster resides. This configures the + OCP control plane cloud integrations, and is used by NodePool to resolve + the correct boot image for a given release. + This field is immutable. Once set, It can't be changed. + type: string + resourceGroup: + description: |- + ResourceGroup is the IBMCloud Resource Group in which the cluster resides. + This field is immutable. Once set, It can't be changed. + type: string + serviceInstanceID: + description: |- + ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. + Power VS service is a container for all Power VS instances at a specific geographic region. + serviceInstance can be created via IBM Cloud catalog or CLI. + ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. + + + More detail about Power VS service instance. + https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server + + + This field is immutable. Once set, It can't be changed. + type: string + storageOperatorCloudCreds: + description: |- + StorageOperatorCloudCreds is a reference to a secret containing ibm cloud + credentials for storage operator to get authenticated with ibm cloud. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + subnet: + description: |- + Subnet is the subnet to use for control plane cloud resources. + This field is immutable. Once set, It can't be changed. + properties: + id: + description: ID of resource + type: string + name: + description: Name of resource + type: string + type: object + vpc: + description: |- + VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control + plane. + This field is immutable. Once set, It can't be changed. + properties: + name: + description: |- + Name for VPC to used for all the service load balancer. + This field is immutable. Once set, It can't be changed. + type: string + region: + description: |- + Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic + into the OCP cluster. + This field is immutable. Once set, It can't be changed. + type: string + subnet: + description: |- + Subnet is the subnet to use for load balancer. + This field is immutable. Once set, It can't be changed. + type: string + zone: + description: |- + Zone is the availability zone where load balancer cloud resources are + created. + This field is immutable. Once set, It can't be changed. + type: string + required: + - name + - region + type: object + zone: + description: |- + Zone is the availability zone where control plane cloud resources are + created. + This field is immutable. Once set, It can't be changed. + type: string + required: + - accountID + - cisInstanceCRN + - imageRegistryOperatorCloudCreds + - ingressOperatorCloudCreds + - kubeCloudControllerCreds + - nodePoolManagementCreds + - region + - resourceGroup + - serviceInstanceID + - storageOperatorCloudCreds + - subnet + - vpc + - zone + type: object + type: + description: Type is the type of infrastructure provider for the + cluster. + enum: + - AWS + - None + - IBMCloud + - Agent + - KubeVirt + - Azure + - PowerVS + type: string + required: + - type + type: object + pullSecret: + description: |- + PullSecret references a pull secret to be injected into the container + runtime of all cluster nodes. The secret must have a key named + ".dockerconfigjson" whose value is the pull secret JSON. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + release: + description: |- + Release specifies the desired OCP release payload for the hosted cluster. + + + Updating this field will trigger a rollout of the control plane. The + behavior of the rollout will be driven by the ControllerAvailabilityPolicy + and InfrastructureAvailabilityPolicy. + properties: + image: + description: Image is the image pullspec of an OCP release payload + image. + pattern: ^(\w+\S+)$ + type: string + required: + - image + type: object + secretEncryption: + description: |- + SecretEncryption specifies a Kubernetes secret encryption strategy for the + control plane. + properties: + aescbc: + description: AESCBC defines metadata about the AESCBC secret encryption + strategy + properties: + activeKey: + description: ActiveKey defines the active key used to encrypt + new secrets + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + backupKey: + description: |- + BackupKey defines the old key during the rotation process so previously created + secrets can continue to be decrypted until they are all re-encrypted with the active key. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + required: + - activeKey + type: object + kms: + description: KMS defines metadata about the kms secret encryption + strategy + properties: + aws: + description: AWS defines metadata about the configuration + of the AWS KMS Secret Encryption provider + properties: + activeKey: + description: ActiveKey defines the active key used to + encrypt new secrets + properties: + arn: + description: ARN is the Amazon Resource Name for the + encryption key + pattern: '^arn:' + type: string + required: + - arn + type: object + auth: + description: Auth defines metadata about the management + of credentials used to interact with AWS KMS + properties: + awsKms: + description: "The referenced role must have a trust + relationship that allows it to be assumed via web + identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": + \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": + \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": + \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": + {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ + .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\n\nAWSKMSARN + is an ARN value referencing a role appropriate for + managing the auth via the AWS KMS key.\n\n\nThe + following is an example of a valid policy document:\n\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": + %q\n\t\t}\n\t]\n}" + type: string + credentials: + description: |- + Deprecated + This field is deprecated and will be removed in a future release. Use AWSKMSRoleARN instead. + Credentials contains the name of the secret that holds the aws credentials that can be used + to make the necessary KMS calls. It should at key AWSCredentialsFileSecretKey contain the + aws credentials file that can be used to configure AWS SDKs + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + required: + - awsKms + - credentials + type: object + backupKey: + description: |- + BackupKey defines the old key during the rotation process so previously created + secrets can continue to be decrypted until they are all re-encrypted with the active key. + properties: + arn: + description: ARN is the Amazon Resource Name for the + encryption key + pattern: '^arn:' + type: string + required: + - arn + type: object + region: + description: Region contains the AWS region + type: string + required: + - activeKey + - auth + - region + type: object + azure: + description: Azure defines metadata about the configuration + of the Azure KMS Secret Encryption provider using Azure + key vault + properties: + activeKey: + description: ActiveKey defines the active key used to + encrypt new secrets + properties: + keyName: + description: KeyName is the name of the keyvault key + used for encrypt/decrypt + type: string + keyVaultName: + description: |- + KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name + Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: + `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` + type: string + keyVersion: + description: KeyVersion contains the version of the + key to use + type: string + required: + - keyName + - keyVaultName + - keyVersion + type: object + backupKey: + description: |- + BackupKey defines the old key during the rotation process so previously created + secrets can continue to be decrypted until they are all re-encrypted with the active key. + properties: + keyName: + description: KeyName is the name of the keyvault key + used for encrypt/decrypt + type: string + keyVaultName: + description: |- + KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name + Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: + `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` + type: string + keyVersion: + description: KeyVersion contains the version of the + key to use + type: string + required: + - keyName + - keyVaultName + - keyVersion + type: object + required: + - activeKey + type: object + ibmcloud: + description: IBMCloud defines metadata for the IBM Cloud KMS + encryption strategy + properties: + auth: + description: Auth defines metadata for how authentication + is done with IBM Cloud KMS + properties: + managed: + description: |- + Managed defines metadata around the service to service authentication strategy for the IBM Cloud + KMS system (all provider managed). + type: object + type: + description: Type defines the IBM Cloud KMS authentication + strategy + enum: + - Managed + - Unmanaged + type: string + unmanaged: + description: Unmanaged defines the auth metadata the + customer provides to interact with IBM Cloud KMS + properties: + credentials: + description: |- + Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to + call IBM Cloud KMS APIs + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + required: + - credentials + type: object + required: + - type + type: object + keyList: + description: KeyList defines the list of keys used for + data encryption + items: + description: IBMCloudKMSKeyEntry defines metadata for + an IBM Cloud KMS encryption key + properties: + correlationID: + description: CorrelationID is an identifier used + to track all api call usage from hypershift + type: string + crkID: + description: CRKID is the customer rook key id + type: string + instanceID: + description: InstanceID is the id for the key protect + instance + type: string + keyVersion: + description: |- + KeyVersion is a unique number associated with the key. The number increments whenever a new + key is enabled for data encryption. + type: integer + url: + description: URL is the url to call key protect + apis over + pattern: ^https:// + type: string + required: + - correlationID + - crkID + - instanceID + - keyVersion + - url + type: object + type: array + region: + description: Region is the IBM Cloud region + type: string + required: + - auth + - keyList + - region + type: object + provider: + description: Provider defines the KMS provider + enum: + - IBMCloud + - AWS + - Azure + type: string + required: + - provider + type: object + type: + description: Type defines the type of kube secret encryption being + used + enum: + - kms + - aescbc + type: string + required: + - type + type: object + serviceAccountSigningKey: + description: |- + ServiceAccountSigningKey is a reference to a secret containing the private key + used by the service account token issuer. The secret is expected to contain + a single key named "key". If not specified, a service account signing key will + be generated automatically for the cluster. When specifying a service account + signing key, a IssuerURL must also be specified. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + services: + description: |- + Services specifies how individual control plane services are published from + the hosting cluster of the control plane. + + + If a given service is not present in this list, it will be exposed publicly + by default. + items: + description: |- + ServicePublishingStrategyMapping specifies how individual control plane + services are published from the hosting cluster of a control plane. + properties: + service: + description: Service identifies the type of service being published. + enum: + - APIServer + - OAuthServer + - OIDC + - Konnectivity + - Ignition + - OVNSbDb + type: string + servicePublishingStrategy: + description: ServicePublishingStrategy specifies how to publish + Service. + properties: + loadBalancer: + description: LoadBalancer configures exposing a service + using a LoadBalancer. + properties: + hostname: + description: Hostname is the name of the DNS record + that will be created pointing to the LoadBalancer. + type: string + type: object + nodePort: + description: NodePort configures exposing a service using + a NodePort. + properties: + address: + description: Address is the host/ip that the NodePort + service is exposed over. + type: string + port: + description: |- + Port is the port of the NodePort service. If <=0, the port is dynamically + assigned when the service is created. + format: int32 + type: integer + required: + - address + type: object + route: + description: Route configures exposing a service using a + Route. + properties: + hostname: + description: Hostname is the name of the DNS record + that will be created pointing to the Route. + type: string + type: object + type: + description: Type is the publishing strategy used for the + service. + enum: + - LoadBalancer + - NodePort + - Route + - None + - S3 + type: string + required: + - type + type: object + required: + - service + - servicePublishingStrategy + type: object + type: array + sshKey: + description: |- + SSHKey references an SSH key to be injected into all cluster node sshd + servers. The secret must have a single key "id_rsa.pub" whose value is the + public part of an SSH key. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + tolerations: + description: Tolerations when specified, define what custome tolerations + are added to the hcp pods. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + updateService: + description: |- + updateService may be used to specify the preferred upstream update service. + By default it will use the appropriate update service for the cluster and region. + type: string + required: + - networking + - platform + - pullSecret + - release + - services + - sshKey + type: object + status: + description: Status is the latest observed status of the HostedCluster. + properties: + conditions: + description: |- + Conditions represents the latest available observations of a control + plane's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controlPlaneEndpoint: + description: |- + ControlPlaneEndpoint contains the endpoint information by which + external clients can access the control plane. This is populated + after the infrastructure is ready. + properties: + host: + description: Host is the hostname on which the API server is serving. + type: string + port: + description: Port is the port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + ignitionEndpoint: + description: |- + IgnitionEndpoint is the endpoint injected in the ign config userdata. + It exposes the config for instances to become kubernetes nodes. + type: string + kubeadminPassword: + description: |- + KubeadminPassword is a reference to the secret that contains the initial + kubeadmin user password for the guest cluster. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + kubeconfig: + description: |- + KubeConfig is a reference to the secret containing the default kubeconfig + for the cluster. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + oauthCallbackURLTemplate: + description: |- + OAuthCallbackURLTemplate contains a template for the URL to use as a callback + for identity providers. The [identity-provider-name] placeholder must be replaced + with the name of an identity provider defined on the HostedCluster. + This is populated after the infrastructure is ready. + type: string + platform: + description: Platform contains platform-specific status of the HostedCluster + properties: + aws: + description: AWSPlatformStatus contains status specific to the + AWS platform + properties: + defaultWorkerSecurityGroupID: + description: |- + DefaultWorkerSecurityGroupID is the ID of a security group created by + the control plane operator. It is always added to worker machines in + addition to any security groups specified in the NodePool. + type: string + type: object + type: object + version: + description: |- + Version is the status of the release version applied to the + HostedCluster. + properties: + availableUpdates: + description: |- + availableUpdates contains updates recommended for this + cluster. Updates which appear in conditionalUpdates but not in + availableUpdates may expose this cluster to known issues. This list + may be empty if no updates are recommended, if the update service + is unavailable, or if an invalid channel has been specified. + items: + description: Release represents an OpenShift release image and + associated metadata. + properties: + channels: + description: |- + channels is the set of Cincinnati channels to which the release + currently belongs. + items: + type: string + type: array + x-kubernetes-list-type: set + image: + description: |- + image is a container image location that contains the update. When this + field is part of spec, image is optional if version is specified and the + availableUpdates field contains a matching version. + type: string + url: + description: |- + url contains information about this release. This URL is set by + the 'url' metadata property on a release or the metadata returned by + the update API and should be displayed as a link in user + interfaces. The URL field may not be set for test or nightly + releases. + type: string + version: + description: |- + version is a semantic version identifying the update version. When this + field is part of spec, version is optional if image is specified. + type: string + type: object + nullable: true + type: array + conditionalUpdates: + description: |- + conditionalUpdates contains the list of updates that may be + recommended for this cluster if it meets specific required + conditions. Consumers interested in the set of updates that are + actually recommended for this cluster should use + availableUpdates. This list may be empty if no updates are + recommended, if the update service is unavailable, or if an empty + or invalid channel has been specified. + items: + description: |- + ConditionalUpdate represents an update which is recommended to some + clusters on the version the current cluster is reconciling, but which + may not be recommended for the current cluster. + properties: + conditions: + description: |- + conditions represents the observations of the conditional update's + current status. Known types are: + * Recommended, for whether the update is recommended for the current cluster. + items: + description: "Condition contains details for one aspect + of the current state of this API Resource.\n---\nThis + struct is intended for direct use as an array at the + field path .status.conditions. For example,\n\n\n\ttype + FooStatus struct{\n\t // Represents the observations + of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t + \ // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t + \ // +listType=map\n\t // +listMapKey=type\n\t + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, + False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + release: + description: release is the target of the update. + properties: + channels: + description: |- + channels is the set of Cincinnati channels to which the release + currently belongs. + items: + type: string + type: array + x-kubernetes-list-type: set + image: + description: |- + image is a container image location that contains the update. When this + field is part of spec, image is optional if version is specified and the + availableUpdates field contains a matching version. + type: string + url: + description: |- + url contains information about this release. This URL is set by + the 'url' metadata property on a release or the metadata returned by + the update API and should be displayed as a link in user + interfaces. The URL field may not be set for test or nightly + releases. + type: string + version: + description: |- + version is a semantic version identifying the update version. When this + field is part of spec, version is optional if image is specified. + type: string + type: object + risks: + description: |- + risks represents the range of issues associated with + updating to the target release. The cluster-version + operator will evaluate all entries, and only recommend the + update if there is at least one entry and all entries + recommend the update. + items: + description: |- + ConditionalUpdateRisk represents a reason and cluster-state + for not recommending a conditional update. + properties: + matchingRules: + description: |- + matchingRules is a slice of conditions for deciding which + clusters match the risk and which do not. The slice is + ordered by decreasing precedence. The cluster-version + operator will walk the slice in order, and stop after the + first it can successfully evaluate. If no condition can be + successfully evaluated, the update will not be recommended. + items: + description: |- + ClusterCondition is a union of typed cluster conditions. The 'type' + property determines which of the type-specific properties are relevant. + When evaluated on a cluster, the condition may match, not match, or + fail to evaluate. + properties: + promql: + description: promQL represents a cluster condition + based on PromQL. + properties: + promql: + description: |- + PromQL is a PromQL query classifying clusters. This query + query should return a 1 in the match case and a 0 in the + does-not-match case. Queries which return no time + series, or which return values besides 0 or 1, are + evaluation failures. + type: string + required: + - promql + type: object + type: + description: |- + type represents the cluster-condition type. This defines + the members and semantics of any additional properties. + enum: + - Always + - PromQL + type: string + required: + - type + type: object + minItems: 1 + type: array + x-kubernetes-list-type: atomic + message: + description: |- + message provides additional information about the risk of + updating, in the event that matchingRules match the cluster + state. This is only to be consumed by humans. It may + contain Line Feed characters (U+000A), which should be + rendered as new lines. + minLength: 1 + type: string + name: + description: |- + name is the CamelCase reason for not recommending a + conditional update, in the event that matchingRules match the + cluster state. + minLength: 1 + type: string + url: + description: url contains information about this risk. + format: uri + minLength: 1 + type: string + required: + - matchingRules + - message + - name + - url + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - release + - risks + type: object + type: array + x-kubernetes-list-type: atomic + desired: + description: |- + desired is the version that the cluster is reconciling towards. + If the cluster is not yet fully initialized desired will be set + with the information available, which may be an image or a tag. + properties: + channels: + description: |- + channels is the set of Cincinnati channels to which the release + currently belongs. + items: + type: string + type: array + x-kubernetes-list-type: set + image: + description: |- + image is a container image location that contains the update. When this + field is part of spec, image is optional if version is specified and the + availableUpdates field contains a matching version. + type: string + url: + description: |- + url contains information about this release. This URL is set by + the 'url' metadata property on a release or the metadata returned by + the update API and should be displayed as a link in user + interfaces. The URL field may not be set for test or nightly + releases. + type: string + version: + description: |- + version is a semantic version identifying the update version. When this + field is part of spec, version is optional if image is specified. + type: string + type: object + history: + description: |- + history contains a list of the most recent versions applied to the cluster. + This value may be empty during cluster startup, and then will be updated + when a new update is being applied. The newest update is first in the + list and it is ordered by recency. Updates in the history have state + Completed if the rollout completed - if an update was failing or halfway + applied the state will be Partial. Only a limited amount of update history + is preserved. + items: + description: UpdateHistory is a single attempted update to the + cluster. + properties: + acceptedRisks: + description: |- + acceptedRisks records risks which were accepted to initiate the update. + For example, it may menition an Upgradeable=False or missing signature + that was overriden via desiredUpdate.force, or an update that was + initiated despite not being in the availableUpdates set of recommended + update targets. + type: string + completionTime: + description: |- + completionTime, if set, is when the update was fully applied. The update + that is currently being applied will have a null completion time. + Completion time will always be set for entries that are not the current + update (usually to the started time of the next update). + format: date-time + nullable: true + type: string + image: + description: |- + image is a container image location that contains the update. This value + is always populated. + type: string + startedTime: + description: startedTime is the time at which the update + was started. + format: date-time + type: string + state: + description: |- + state reflects whether the update was fully applied. The Partial state + indicates the update is not fully applied, while the Completed state + indicates the update was successfully rolled out at least once (all + parts of the update successfully applied). + type: string + verified: + description: |- + verified indicates whether the provided update was properly verified + before it was installed. If this is false the cluster may not be trusted. + Verified does not cover upgradeable checks that depend on the cluster + state at the time when the update target was accepted. + type: boolean + version: + description: |- + version is a semantic version identifying the update version. If the + requested image does not define a version, or if a failure occurs + retrieving the image, this value may be empty. + type: string + required: + - completionTime + - image + - startedTime + - state + - verified + type: object + type: array + observedGeneration: + description: |- + observedGeneration reports which version of the spec is being synced. + If this value is not equal to metadata.generation, then the desired + and conditions fields may represent a previous version. + format: int64 + type: integer + required: + - availableUpdates + - desired + - observedGeneration + type: object + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Version + jsonPath: .status.version.history[?(@.state=="Completed")].version + name: Version + type: string + - description: KubeConfig Secret + jsonPath: .status.kubeconfig.name + name: KubeConfig + type: string + - description: Progress + jsonPath: .status.version.history[?(@.state!="")].state + name: Progress + type: string + - description: Available + jsonPath: .status.conditions[?(@.type=="Available")].status + name: Available + type: string + - description: Progressing + jsonPath: .status.conditions[?(@.type=="Progressing")].status + name: Progressing + type: string + - description: Message + jsonPath: .status.conditions[?(@.type=="Available")].message + name: Message + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + HostedCluster is the primary representation of a HyperShift cluster and encapsulates + the control plane and common data plane configuration. Creating a HostedCluster + results in a fully functional OpenShift control plane with no attached nodes. + To support workloads (e.g. pods), a HostedCluster may have one or more associated + NodePool resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the desired behavior of the HostedCluster. + properties: + additionalTrustBundle: + description: |- + AdditionalTrustBundle is a reference to a ConfigMap containing a + PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + auditWebhook: + description: |- + AuditWebhook contains metadata for configuring an audit webhook endpoint + for a cluster to process cluster audit events. It references a secret that + contains the webhook information for the audit webhook endpoint. It is a + secret because if the endpoint has mTLS the kubeconfig will contain client + keys. The kubeconfig needs to be stored in the secret with a secret key + name that corresponds to the constant AuditWebhookKubeconfigKey. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + autoscaling: + description: |- + Autoscaling specifies auto-scaling behavior that applies to all NodePools + associated with the control plane. + properties: + maxNodeProvisionTime: + description: |- + MaxNodeProvisionTime is the maximum time to wait for node provisioning + before considering the provisioning to be unsuccessful, expressed as a Go + duration string. The default is 15 minutes. + pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ + type: string + maxNodesTotal: + description: |- + MaxNodesTotal is the maximum allowable number of nodes across all NodePools + for a HostedCluster. The autoscaler will not grow the cluster beyond this + number. + format: int32 + minimum: 0 + type: integer + maxPodGracePeriod: + description: |- + MaxPodGracePeriod is the maximum seconds to wait for graceful pod + termination before scaling down a NodePool. The default is 600 seconds. + format: int32 + minimum: 0 + type: integer + podPriorityThreshold: + description: |- + PodPriorityThreshold enables users to schedule "best-effort" pods, which + shouldn't trigger autoscaler actions, but only run when there are spare + resources available. The default is -10. + + + See the following for more details: + https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption + format: int32 + type: integer + type: object + channel: + description: |- + channel is an identifier for explicitly requesting that a non-default + set of updates be applied to this cluster. The default channel will be + contain stable updates that are appropriate for production clusters. + type: string + clusterID: + description: |- + ClusterID uniquely identifies this cluster. This is expected to be + an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in + hexadecimal values). + As with a Kubernetes metadata.uid, this ID uniquely identifies this + cluster in space and time. + This value identifies the cluster in metrics pushed to telemetry and + metrics produced by the control plane operators. If a value is not + specified, an ID is generated. After initial creation, the value is + immutable. + pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}' + type: string + configuration: + description: |- + Configuration specifies configuration for individual OCP components in the + cluster, represented as embedded resources that correspond to the openshift + configuration API. + properties: + apiServer: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request + user must be member of in order to this profile + to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption + of resources at the datastore layer. + properties: + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + type: string + type: object + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server + DNS name, as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + type: array + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + type: object + type: array + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + + If unset, a default (which may change between releases) is chosen. Note that only Old, + Intermediate and Custom profiles are currently supported, and the maximum available + minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + + ciphers: + + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-AES128-GCM-SHA256 + + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + + minTLSVersion: VersionTLS11 + + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + + and looks like this (yaml): + + + ciphers: + + + - TLS_AES_128_GCM_SHA256 + + + - TLS_AES_256_GCM_SHA384 + + + - TLS_CHACHA20_POLY1305_SHA256 + + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + + - ECDHE-RSA-AES128-GCM-SHA256 + + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + + - ECDHE-RSA-AES256-GCM-SHA384 + + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-CHACHA20-POLY1305 + + + - DHE-RSA-AES128-GCM-SHA256 + + + - DHE-RSA-AES256-GCM-SHA384 + + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + + and looks like this (yaml): + + + ciphers: + + + - TLS_AES_128_GCM_SHA256 + + + - TLS_AES_256_GCM_SHA384 + + + - TLS_CHACHA20_POLY1305_SHA256 + + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + + and looks like this (yaml): + + + ciphers: + + + - TLS_AES_128_GCM_SHA256 + + + - TLS_AES_256_GCM_SHA384 + + + - TLS_CHACHA20_POLY1305_SHA256 + + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + + - ECDHE-RSA-AES128-GCM-SHA256 + + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + + - ECDHE-RSA-AES256-GCM-SHA384 + + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-CHACHA20-POLY1305 + + + - DHE-RSA-AES128-GCM-SHA256 + + + - DHE-RSA-AES256-GCM-SHA384 + + + - DHE-RSA-CHACHA20-POLY1305 + + + - ECDHE-ECDSA-AES128-SHA256 + + + - ECDHE-RSA-AES128-SHA256 + + + - ECDHE-ECDSA-AES128-SHA + + + - ECDHE-RSA-AES128-SHA + + + - ECDHE-ECDSA-AES256-SHA384 + + + - ECDHE-RSA-AES256-SHA384 + + + - ECDHE-ECDSA-AES256-SHA + + + - ECDHE-RSA-AES256-SHA + + + - DHE-RSA-AES128-SHA256 + + + - DHE-RSA-AES256-SHA256 + + + - AES128-GCM-SHA256 + + + - AES256-GCM-SHA384 + + + - AES128-SHA256 + + + - AES256-SHA256 + + + - AES128-SHA + + + - AES256-SHA + + + - DES-CBC3-SHA + + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + authentication: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + oidcProviders: + description: |- + OIDCProviders are OIDC identity providers that can issue tokens + for this cluster + Can only be set if "Type" is set to "OIDC". + + + At most one provider can be configured. + items: + properties: + claimMappings: + description: |- + ClaimMappings describes rules on how to transform information from an + ID token into a cluster identity + properties: + groups: + description: |- + Groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. + properties: + claim: + description: Claim is a JWT token claim to be + used in the mapping + type: string + prefix: + description: |- + Prefix is a string to prefix the value from the token in the result of the + claim mapping. + + + By default, no prefixing occurs. + + + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + an array of strings "a", "b" and "c", the mapping will result in an + array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + required: + - claim + type: object + username: + description: |- + Username is a name of the claim that should be used to construct + usernames for the cluster identity. + + + Default value: "sub" + properties: + claim: + description: Claim is a JWT token claim to be + used in the mapping + type: string + prefix: + properties: + prefixString: + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + PrefixPolicy specifies how a prefix should apply. + + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + + Set to "NoPrefix" to disable prefixing. + + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + required: + - claim + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is + 'Prefix', but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy + == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + type: object + claimValidationRules: + description: ClaimValidationRules are rules that are + applied to validate token claims to authenticate users. + items: + properties: + requiredClaim: + description: |- + RequiredClaim allows configuring a required claim name and its expected + value + properties: + claim: + description: |- + Claim is a name of a required claim. Only claims with string values are + supported. + minLength: 1 + type: string + requiredValue: + description: RequiredValue is the required + value for the claim. + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + default: RequiredClaim + description: Type sets the type of the validation + rule + enum: + - RequiredClaim + type: string + type: object + type: array + x-kubernetes-list-type: atomic + issuer: + description: Issuer describes atributes of the OIDC + token issuer + properties: + audiences: + description: |- + Audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + issuerCertificateAuthority: + description: |- + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + issuerURL: + description: |- + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] + type: string + required: + - audiences + - issuerURL + type: object + name: + description: Name of the OIDC provider + minLength: 1 + type: string + oidcClients: + description: |- + OIDCClients contains configuration for the platform's clients that + need to request tokens from the issuer + items: + properties: + clientID: + description: ClientID is the identifier of the + OIDC client from the OIDC provider + minLength: 1 + type: string + clientSecret: + description: |- + ClientSecret refers to a secret in the `openshift-config` namespace that + contains the client secret in the `clientSecret` key of the `.data` field + properties: + name: + description: name is the metadata.name of + the referenced secret + type: string + required: + - name + type: object + componentName: + description: |- + ComponentName is the name of the component that is supposed to consume this + client configuration + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + ComponentNamespace is the namespace of the component that is supposed to consume this + client configuration + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: ExtraScopes is an optional set of + scopes to request tokens with. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + required: + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + + For further details, see: + + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting + it has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + featureGate: + description: FeatureGate holds cluster-wide information about + feature gates. + properties: + customNoUpgrade: + description: |- + customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. + Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations + your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. + nullable: true + properties: + disabled: + description: disabled is a list of all feature gates that + you want to force off + items: + description: FeatureGateName is a string to enforce + patterns on the name of a FeatureGate + pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ + type: string + type: array + enabled: + description: enabled is a list of all feature gates that + you want to force on + items: + description: FeatureGateName is a string to enforce + patterns on the name of a FeatureGate + pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ + type: string + type: array + type: object + featureSet: + description: |- + featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. + Turning on or off features may cause irreversible changes in your cluster which cannot be undone. + type: string + x-kubernetes-validations: + - message: CustomNoUpgrade may not be changed + rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' + : true' + - message: TechPreviewNoUpgrade may not be changed + rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' + : true' + - message: DevPreviewNoUpgrade may not be changed + rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' + : true' + type: object + image: + description: |- + Image governs policies related to imagestream imports and runtime configuration + for external registries. It allows cluster admins to configure which registries + OpenShift is allowed to import images from, extra CA trust bundles for external + registries, and policies to block or allow registry hostnames. + When exposing OpenShift's image registry to the public, this also lets cluster + admins specify the external hostname. + properties: + additionalTrustedCA: + description: |- + additionalTrustedCA is a reference to a ConfigMap containing additional CAs that + should be trusted during imagestream import, pod image pull, build image pull, and + imageregistry pullthrough. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + allowedRegistriesForImport: + description: |- + allowedRegistriesForImport limits the container image registries that normal users may import + images from. Set this list to the registries that you trust to contain valid Docker + images and that you want applications to be able to import from. Users with + permission to create Images or ImageStreamMappings via the API are not affected by + this policy - typically only administrators or system integrations will have those + permissions. + items: + description: |- + RegistryLocation contains a location of the registry specified by the registry domain + name. The domain name might include wildcards, like '*' or '??'. + properties: + domainName: + description: |- + domainName specifies a domain name for the registry + In case the registry use non-standard (80 or 443) port, the port should be included + in the domain name as well. + type: string + insecure: + description: |- + insecure indicates whether the registry is secure (https) or insecure (http) + By default (if not specified) the registry is assumed as secure. + type: boolean + type: object + type: array + externalRegistryHostnames: + description: |- + externalRegistryHostnames provides the hostnames for the default external image + registry. The external hostname should be set only when the image registry + is exposed externally. The first value is used in 'publicDockerImageRepository' + field in ImageStreams. The value must be in "hostname[:port]" format. + items: + type: string + type: array + registrySources: + description: |- + registrySources contains configuration that determines how the container runtime + should treat individual registries when accessing images for builds+pods. (e.g. + whether or not to allow insecure access). It does not contain configuration for the + internal cluster registry. + properties: + allowedRegistries: + description: |- + allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. + + + Only one of BlockedRegistries or AllowedRegistries may be set. + items: + type: string + type: array + blockedRegistries: + description: |- + blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. + + + Only one of BlockedRegistries or AllowedRegistries may be set. + items: + type: string + type: array + containerRuntimeSearchRegistries: + description: |- + containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified + domains in their pull specs. Registries will be searched in the order provided in the list. + Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. + format: hostname + items: + type: string + minItems: 1 + type: array + x-kubernetes-list-type: set + insecureRegistries: + description: insecureRegistries are registries which do + not have a valid TLS certificates or only support HTTP + connections. + items: + type: string + type: array + type: object + type: object + ingress: + description: |- + Ingress holds cluster-wide information about ingress, including the default ingress domain + used for routes. + properties: + appsDomain: + description: |- + appsDomain is an optional domain to use instead of the one specified + in the domain field when a Route is created without specifying an explicit + host. If appsDomain is nonempty, this value is used to generate default + host values for Route. Unlike domain, appsDomain may be modified after + installation. + This assumes a new ingresscontroller has been setup with a wildcard + certificate. + type: string + componentRoutes: + description: |- + componentRoutes is an optional list of routes that are managed by OpenShift components + that a cluster-admin is able to configure the hostname and serving certificate for. + The namespace and name of each route in this list should match an existing entry in the + status.componentRoutes list. + + + To determine the set of configurable Routes, look at namespace and name of entries in the + .status.componentRoutes list, where participating operators write the status of + configurable routes. + items: + description: ComponentRouteSpec allows for configuration + of a route's hostname and serving certificate. + properties: + hostname: + description: hostname is the hostname that should be + used by the route. + pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ + type: string + name: + description: |- + name is the logical name of the route to customize. + + + The namespace and name of this componentRoute must match a corresponding + entry in the list of status.componentRoutes if the route is to be customized. + maxLength: 256 + minLength: 1 + type: string + namespace: + description: |- + namespace is the namespace of the route to customize. + + + The namespace and name of this componentRoute must match a corresponding + entry in the list of status.componentRoutes if the route is to be customized. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + servingCertKeyPairSecret: + description: |- + servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. + The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. + If the custom hostname uses the default routing suffix of the cluster, + the Secret specification for a serving certificate will not be needed. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + required: + - hostname + - name + - namespace + type: object + type: array + x-kubernetes-list-map-keys: + - namespace + - name + x-kubernetes-list-type: map + domain: + description: |- + domain is used to generate a default host name for a route when the + route's host name is empty. The generated host name will follow this + pattern: "..". + + + It is also used as the default wildcard domain suffix for ingress. The + default ingresscontroller domain will follow this pattern: "*.". + + + Once set, changing domain is not currently supported. + type: string + loadBalancer: + description: |- + loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure + provider of the current cluster and are required for Ingress Controller to work on OpenShift. + properties: + platform: + description: |- + platform holds configuration specific to the underlying + infrastructure provider for the ingress load balancers. + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + properties: + aws: + description: aws contains settings specific to the + Amazon Web Services infrastructure provider. + properties: + type: + description: |- + type allows user to set a load balancer type. + When this field is set the default ingresscontroller will get created using the specified LBType. + If this field is not set then the default ingress controller of LBType Classic will be created. + Valid values are: + + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - NLB + - Classic + type: string + required: + - type + type: object + type: + description: |- + type is the underlying infrastructure provider for the cluster. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", + "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", + "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, + and must handle unrecognized platforms as None if they do not support that platform. + enum: + - "" + - AWS + - Azure + - BareMetal + - GCP + - Libvirt + - OpenStack + - None + - VSphere + - oVirt + - IBMCloud + - KubeVirt + - EquinixMetal + - PowerVS + - AlibabaCloud + - Nutanix + - External + type: string + type: object + type: object + requiredHSTSPolicies: + description: |- + requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes + matching the domainPattern/s and namespaceSelector/s that are specified in the policy. + Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route + annotation, and affect route admission. + + + A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: + "haproxy.router.openshift.io/hsts_header" + E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains + + + - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, + then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route + is rejected. + - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies + determines the route's admission status. + - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, + then it may use any HSTS Policy annotation. + + + The HSTS policy configuration may be changed after routes have already been created. An update to a previously + admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. + However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. + + + Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. + items: + properties: + domainPatterns: + description: |- + domainPatterns is a list of domains for which the desired HSTS annotations are required. + If domainPatterns is specified and a route is created with a spec.host matching one of the domains, + the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. + + + The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. + foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. + items: + type: string + minItems: 1 + type: array + includeSubDomainsPolicy: + description: |- + includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's + domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: + - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com + - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com + - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com + - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com + enum: + - RequireIncludeSubDomains + - RequireNoIncludeSubDomains + - NoOpinion + type: string + maxAge: + description: |- + maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. + If set to 0, it negates the effect, and hosts are removed as HSTS hosts. + If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. + maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS + policy will eventually expire on that client. + properties: + largestMaxAge: + description: |- + The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age + This value can be left unspecified, in which case no upper limit is enforced. + format: int32 + maximum: 2147483647 + minimum: 0 + type: integer + smallestMaxAge: + description: |- + The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age + Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary + tool for administrators to quickly correct mistakes. + This value can be left unspecified, in which case no lower limit is enforced. + format: int32 + maximum: 2147483647 + minimum: 0 + type: integer + type: object + namespaceSelector: + description: |- + namespaceSelector specifies a label selector such that the policy applies only to those routes that + are in namespaces with labels that match the selector, and are in one of the DomainPatterns. + Defaults to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + preloadPolicy: + description: |- + preloadPolicy directs the client to include hosts in its host preload list so that + it never needs to do an initial load to get the HSTS header (note that this is not defined + in RFC 6797 and is therefore client implementation-dependent). + enum: + - RequirePreload + - RequireNoPreload + - NoOpinion + type: string + required: + - domainPatterns + type: object + type: array + type: object + network: + description: |- + Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. + Please view network.spec for an explanation on what applies when configuring this resource. + TODO (csrwng): Add validation here to exclude changes that conflict with networking settings in the HostedCluster.Spec.Networking field. + properties: + clusterNetwork: + description: |- + IP address pool to use for pod IPs. + This field is immutable after installation. + items: + description: |- + ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs + are allocated. + properties: + cidr: + description: The complete block for pod IPs. + type: string + hostPrefix: + description: |- + The size (prefix) of block to allocate to each node. If this + field is not used by the plugin, it can be left unset. + format: int32 + minimum: 0 + type: integer + type: object + type: array + x-kubernetes-list-type: atomic + externalIP: + description: |- + externalIP defines configuration for controllers that + affect Service.ExternalIP. If nil, then ExternalIP is + not allowed to be set. + properties: + autoAssignCIDRs: + description: |- + autoAssignCIDRs is a list of CIDRs from which to automatically assign + Service.ExternalIP. These are assigned when the service is of type + LoadBalancer. In general, this is only useful for bare-metal clusters. + In Openshift 3.x, this was misleadingly called "IngressIPs". + Automatically assigned External IPs are not affected by any + ExternalIPPolicy rules. + Currently, only one entry may be provided. + items: + type: string + type: array + x-kubernetes-list-type: atomic + policy: + description: |- + policy is a set of restrictions applied to the ExternalIP field. + If nil or empty, then ExternalIP is not allowed to be set. + properties: + allowedCIDRs: + description: allowedCIDRs is the list of allowed CIDRs. + items: + type: string + type: array + x-kubernetes-list-type: atomic + rejectedCIDRs: + description: |- + rejectedCIDRs is the list of disallowed CIDRs. These take precedence + over allowedCIDRs. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + type: object + networkDiagnostics: + description: |- + networkDiagnostics defines network diagnostics configuration. + + + Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io. + If networkDiagnostics is not specified or is empty, + and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, + the network diagnostics feature will be disabled. + properties: + mode: + description: |- + mode controls the network diagnostics mode + + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default is All. + enum: + - "" + - All + - Disabled + type: string + sourcePlacement: + description: |- + sourcePlacement controls the scheduling of network diagnostics source deployment + + + See NetworkDiagnosticsSourcePlacement for more details about default values. + properties: + nodeSelector: + additionalProperties: + type: string + description: |- + nodeSelector is the node selector applied to network diagnostics components + + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default is `kubernetes.io/os: linux`. + type: object + tolerations: + description: |- + tolerations is a list of tolerations applied to network diagnostics components + + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default is an empty list. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + targetPlacement: + description: |- + targetPlacement controls the scheduling of network diagnostics target daemonset + + + See NetworkDiagnosticsTargetPlacement for more details about default values. + properties: + nodeSelector: + additionalProperties: + type: string + description: |- + nodeSelector is the node selector applied to network diagnostics components + + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default is `kubernetes.io/os: linux`. + type: object + tolerations: + description: |- + tolerations is a list of tolerations applied to network diagnostics components + + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default is `- operator: "Exists"` which means that all taints are tolerated. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + networkType: + description: |- + NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). + This should match a value that the cluster-network-operator understands, + or else no networking will be installed. + Currently supported values are: + - OpenShiftSDN + This field is immutable after installation. + type: string + serviceNetwork: + description: |- + IP address pool for services. + Currently, we only support a single entry here. + This field is immutable after installation. + items: + type: string + type: array + x-kubernetes-list-type: atomic + serviceNodePortRange: + description: |- + The port range allowed for Services of type NodePort. + If not specified, the default of 30000-32767 will be used. + Such Services without a NodePort specified will have one + automatically allocated from this range. + This parameter can be updated after the cluster is + installed. + pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ + type: string + type: object + oauth: + description: |- + OAuth holds cluster-wide information about OAuth. + It is used to configure the integrated OAuth server. + This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. + properties: + identityProviders: + description: |- + identityProviders is an ordered list of ways for a user to identify themselves. + When this list is empty, no identities are provisioned for users. + items: + description: IdentityProvider provides identities for users + authenticating using credentials + properties: + basicAuth: + description: basicAuth contains configuration options + for the BasicAuth IdP + properties: + ca: + description: |- + ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + The key "ca.crt" is used to locate the data. + If specified and the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + If empty, the default system roots are used. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + tlsClientCert: + description: |- + tlsClientCert is an optional reference to a secret by name that contains the + PEM-encoded TLS client certificate to present when connecting to the server. + The key "tls.crt" is used to locate the data. + If specified and the secret or expected key is not found, the identity provider is not honored. + If the specified certificate data is not valid, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + tlsClientKey: + description: |- + tlsClientKey is an optional reference to a secret by name that contains the + PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. + The key "tls.key" is used to locate the data. + If specified and the secret or expected key is not found, the identity provider is not honored. + If the specified certificate data is not valid, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + url: + description: url is the remote URL to connect to + type: string + type: object + github: + description: github enables user authentication using + GitHub credentials + properties: + ca: + description: |- + ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + The key "ca.crt" is used to locate the data. + If specified and the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + If empty, the default system roots are used. + This can only be configured when hostname is set to a non-empty value. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + clientID: + description: clientID is the oauth client ID + type: string + clientSecret: + description: |- + clientSecret is a required reference to the secret by name containing the oauth client secret. + The key "clientSecret" is used to locate the data. + If the secret or expected key is not found, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + hostname: + description: |- + hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of + GitHub Enterprise. + It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. + type: string + organizations: + description: organizations optionally restricts + which organizations are allowed to log in + items: + type: string + type: array + teams: + description: teams optionally restricts which teams + are allowed to log in. Format is /. + items: + type: string + type: array + type: object + gitlab: + description: gitlab enables user authentication using + GitLab credentials + properties: + ca: + description: |- + ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + The key "ca.crt" is used to locate the data. + If specified and the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + If empty, the default system roots are used. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + clientID: + description: clientID is the oauth client ID + type: string + clientSecret: + description: |- + clientSecret is a required reference to the secret by name containing the oauth client secret. + The key "clientSecret" is used to locate the data. + If the secret or expected key is not found, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + url: + description: url is the oauth server base URL + type: string + type: object + google: + description: google enables user authentication using + Google credentials + properties: + clientID: + description: clientID is the oauth client ID + type: string + clientSecret: + description: |- + clientSecret is a required reference to the secret by name containing the oauth client secret. + The key "clientSecret" is used to locate the data. + If the secret or expected key is not found, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + hostedDomain: + description: hostedDomain is the optional Google + App domain (e.g. "mycompany.com") to restrict + logins to + type: string + type: object + htpasswd: + description: htpasswd enables user authentication using + an HTPasswd file to validate credentials + properties: + fileData: + description: |- + fileData is a required reference to a secret by name containing the data to use as the htpasswd file. + The key "htpasswd" is used to locate the data. + If the secret or expected key is not found, the identity provider is not honored. + If the specified htpasswd data is not valid, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + type: object + keystone: + description: keystone enables user authentication using + keystone password credentials + properties: + ca: + description: |- + ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + The key "ca.crt" is used to locate the data. + If specified and the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + If empty, the default system roots are used. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + domainName: + description: domainName is required for keystone + v3 + type: string + tlsClientCert: + description: |- + tlsClientCert is an optional reference to a secret by name that contains the + PEM-encoded TLS client certificate to present when connecting to the server. + The key "tls.crt" is used to locate the data. + If specified and the secret or expected key is not found, the identity provider is not honored. + If the specified certificate data is not valid, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + tlsClientKey: + description: |- + tlsClientKey is an optional reference to a secret by name that contains the + PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. + The key "tls.key" is used to locate the data. + If specified and the secret or expected key is not found, the identity provider is not honored. + If the specified certificate data is not valid, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + url: + description: url is the remote URL to connect to + type: string + type: object + ldap: + description: ldap enables user authentication using + LDAP credentials + properties: + attributes: + description: attributes maps LDAP attributes to + identities + properties: + email: + description: |- + email is the list of attributes whose values should be used as the email address. Optional. + If unspecified, no email is set for the identity + items: + type: string + type: array + id: + description: |- + id is the list of attributes whose values should be used as the user ID. Required. + First non-empty attribute is used. At least one attribute is required. If none of the listed + attribute have a value, authentication fails. + LDAP standard identity attribute is "dn" + items: + type: string + type: array + name: + description: |- + name is the list of attributes whose values should be used as the display name. Optional. + If unspecified, no display name is set for the identity + LDAP standard display name attribute is "cn" + items: + type: string + type: array + preferredUsername: + description: |- + preferredUsername is the list of attributes whose values should be used as the preferred username. + LDAP standard login attribute is "uid" + items: + type: string + type: array + type: object + bindDN: + description: bindDN is an optional DN to bind with + during the search phase. + type: string + bindPassword: + description: |- + bindPassword is an optional reference to a secret by name + containing a password to bind with during the search phase. + The key "bindPassword" is used to locate the data. + If specified and the secret or expected key is not found, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + ca: + description: |- + ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + The key "ca.crt" is used to locate the data. + If specified and the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + If empty, the default system roots are used. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + insecure: + description: |- + insecure, if true, indicates the connection should not use TLS + WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always + attempt to connect using TLS, even when `insecure` is set to `true` + When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to + a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. + type: boolean + url: + description: |- + url is an RFC 2255 URL which specifies the LDAP search parameters to use. + The syntax of the URL is: + ldap://host:port/basedn?attribute?scope?filter + type: string + type: object + mappingMethod: + description: |- + mappingMethod determines how identities from this provider are mapped to users + Defaults to "claim" + type: string + name: + description: |- + name is used to qualify the identities returned by this provider. + - It MUST be unique and not shared by any other identity provider used + - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" + Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName + type: string + openID: + description: openID enables user authentication using + OpenID credentials + properties: + ca: + description: |- + ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + The key "ca.crt" is used to locate the data. + If specified and the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + If empty, the default system roots are used. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + claims: + description: claims mappings + properties: + email: + description: |- + email is the list of claims whose values should be used as the email address. Optional. + If unspecified, no email is set for the identity + items: + type: string + type: array + x-kubernetes-list-type: atomic + groups: + description: |- + groups is the list of claims value of which should be used to synchronize groups + from the OIDC provider to OpenShift for the user. + If multiple claims are specified, the first one with a non-empty value is used. + items: + description: |- + OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo + responses + minLength: 1 + type: string + type: array + x-kubernetes-list-type: atomic + name: + description: |- + name is the list of claims whose values should be used as the display name. Optional. + If unspecified, no display name is set for the identity + items: + type: string + type: array + x-kubernetes-list-type: atomic + preferredUsername: + description: |- + preferredUsername is the list of claims whose values should be used as the preferred username. + If unspecified, the preferred username is determined from the value of the sub claim + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + clientID: + description: clientID is the oauth client ID + type: string + clientSecret: + description: |- + clientSecret is a required reference to the secret by name containing the oauth client secret. + The key "clientSecret" is used to locate the data. + If the secret or expected key is not found, the identity provider is not honored. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced secret + type: string + required: + - name + type: object + extraAuthorizeParameters: + additionalProperties: + type: string + description: extraAuthorizeParameters are any custom + parameters to add to the authorize request. + type: object + extraScopes: + description: extraScopes are any scopes to request + in addition to the standard "openid" scope. + items: + type: string + type: array + issuer: + description: |- + issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. + It must use the https scheme with no query or fragment component. + type: string + type: object + requestHeader: + description: requestHeader enables user authentication + using request header credentials + properties: + ca: + description: |- + ca is a required reference to a config map by name containing the PEM-encoded CA bundle. + It is used as a trust anchor to validate the TLS certificate presented by the remote server. + Specifically, it allows verification of incoming requests to prevent header spoofing. + The key "ca.crt" is used to locate the data. + If the config map or expected key is not found, the identity provider is not honored. + If the specified ca data is not valid, the identity provider is not honored. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + challengeURL: + description: |- + challengeURL is a URL to redirect unauthenticated /authorize requests to + Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be + redirected here. + ${url} is replaced with the current URL, escaped to be safe in a query parameter + https://www.example.com/sso-login?then=${url} + ${query} is replaced with the current query string + https://www.example.com/auth-proxy/oauth/authorize?${query} + Required when challenge is set to true. + type: string + clientCommonNames: + description: |- + clientCommonNames is an optional list of common names to require a match from. If empty, any + client certificate validated against the clientCA bundle is considered authoritative. + items: + type: string + type: array + emailHeaders: + description: emailHeaders is the set of headers + to check for the email address + items: + type: string + type: array + headers: + description: headers is the set of headers to check + for identity information + items: + type: string + type: array + loginURL: + description: |- + loginURL is a URL to redirect unauthenticated /authorize requests to + Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here + ${url} is replaced with the current URL, escaped to be safe in a query parameter + https://www.example.com/sso-login?then=${url} + ${query} is replaced with the current query string + https://www.example.com/auth-proxy/oauth/authorize?${query} + Required when login is set to true. + type: string + nameHeaders: + description: nameHeaders is the set of headers to + check for the display name + items: + type: string + type: array + preferredUsernameHeaders: + description: preferredUsernameHeaders is the set + of headers to check for the preferred username + items: + type: string + type: array + type: object + type: + description: type identifies the identity provider type + for this entry. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + templates: + description: templates allow you to customize pages like the + login page. + properties: + error: + description: |- + error is the name of a secret that specifies a go template to use to render error pages + during the authentication or grant flow. + The key "errors.html" is used to locate the template data. + If specified and the secret or expected key is not found, the default error page is used. + If the specified template is not valid, the default error page is used. + If unspecified, the default error page is used. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + login: + description: |- + login is the name of a secret that specifies a go template to use to render the login page. + The key "login.html" is used to locate the template data. + If specified and the secret or expected key is not found, the default login page is used. + If the specified template is not valid, the default login page is used. + If unspecified, the default login page is used. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + providerSelection: + description: |- + providerSelection is the name of a secret that specifies a go template to use to render + the provider selection page. + The key "providers.html" is used to locate the template data. + If specified and the secret or expected key is not found, the default provider selection page is used. + If the specified template is not valid, the default provider selection page is used. + If unspecified, the default provider selection page is used. + The namespace for this secret is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + tokenConfig: + description: tokenConfig contains options for authorization + and access tokens + properties: + accessTokenInactivityTimeout: + description: |- + accessTokenInactivityTimeout defines the token inactivity timeout + for tokens granted by any client. + The value represents the maximum amount of time that can occur between + consecutive uses of the token. Tokens become invalid if they are not + used within this temporal window. The user will need to acquire a new + token to regain access once a token times out. Takes valid time + duration string such as "5m", "1.5h" or "2h45m". The minimum allowed + value for duration is 300s (5 minutes). If the timeout is configured + per client, then that value takes precedence. If the timeout value is + not specified and the client does not override the value, then tokens + are valid until their lifetime. + + + WARNING: existing tokens' timeout will not be affected (lowered) by changing this value + type: string + accessTokenInactivityTimeoutSeconds: + description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: + setting this field has no effect.' + format: int32 + type: integer + accessTokenMaxAgeSeconds: + description: accessTokenMaxAgeSeconds defines the maximum + age of access tokens + format: int32 + type: integer + type: object + type: object + x-kubernetes-validations: + - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout + minimum acceptable token timeout value is 300 seconds + rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) + || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() + >= 300' + operatorhub: + description: |- + OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. + The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. + properties: + disableAllDefaultSources: + description: |- + disableAllDefaultSources allows you to disable all the default hub + sources. If this is true, a specific entry in sources can be used to + enable a default source. If this is false, a specific entry in + sources can be used to disable or enable a default source. + type: boolean + sources: + description: |- + sources is the list of default hub sources and their configuration. + If the list is empty, it implies that the default hub sources are + enabled on the cluster unless disableAllDefaultSources is true. + If disableAllDefaultSources is true and sources is not empty, + the configuration present in sources will take precedence. The list of + default hub sources and their current state will always be reflected in + the status block. + items: + description: HubSource is used to specify the hub source + and its configuration + properties: + disabled: + description: disabled is used to disable a default hub + source on cluster + type: boolean + name: + description: name is the name of one of the default + hub sources + maxLength: 253 + minLength: 1 + type: string + type: object + type: array + type: object + proxy: + description: Proxy holds cluster-wide information on how to configure + default proxies for the cluster. + properties: + httpProxy: + description: httpProxy is the URL of the proxy for HTTP requests. Empty + means unset and will not result in an env var. + type: string + httpsProxy: + description: httpsProxy is the URL of the proxy for HTTPS + requests. Empty means unset and will not result in an env + var. + type: string + noProxy: + description: |- + noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. + Empty means unset and will not result in an env var. + type: string + readinessEndpoints: + description: readinessEndpoints is a list of endpoints used + to verify readiness of the proxy. + items: + type: string + type: array + trustedCA: + description: |- + trustedCA is a reference to a ConfigMap containing a CA certificate bundle. + The trustedCA field should only be consumed by a proxy validator. The + validator is responsible for reading the certificate bundle from the required + key "ca-bundle.crt", merging it with the system default trust bundle, + and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" + in the "openshift-config-managed" namespace. Clients that expect to make + proxy connections must use the trusted-ca-bundle for all HTTPS requests to + the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as + well. + + + The namespace for the ConfigMap referenced by trustedCA is + "openshift-config". Here is an example ConfigMap (in yaml): + + + apiVersion: v1 + kind: ConfigMap + metadata: + name: user-ca-bundle + namespace: openshift-config + data: + ca-bundle.crt: | + -----BEGIN CERTIFICATE----- + Custom CA certificate bundle. + -----END CERTIFICATE----- + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + type: object + scheduler: + description: |- + Scheduler holds cluster-wide config information to run the Kubernetes Scheduler + and influence its placement decisions. The canonical name for this config is `cluster`. + properties: + defaultNodeSelector: + description: |- + defaultNodeSelector helps set the cluster-wide default node selector to + restrict pod placement to specific nodes. This is applied to the pods + created in all namespaces and creates an intersection with any existing + nodeSelectors already set on a pod, additionally constraining that pod's selector. + For example, + defaultNodeSelector: "type=user-node,region=east" would set nodeSelector + field in pod spec to "type=user-node,region=east" to all pods created + in all namespaces. Namespaces having project-wide node selectors won't be + impacted even if this field is set. This adds an annotation section to + the namespace. + For example, if a new namespace is created with + node-selector='type=user-node,region=east', + the annotation openshift.io/node-selector: type=user-node,region=east + gets added to the project. When the openshift.io/node-selector annotation + is set on the project the value is used in preference to the value we are setting + for defaultNodeSelector field. + For instance, + openshift.io/node-selector: "type=user-node,region=west" means + that the default of "type=user-node,region=east" set in defaultNodeSelector + would not be applied. + type: string + mastersSchedulable: + description: |- + MastersSchedulable allows masters nodes to be schedulable. When this flag is + turned on, all the master nodes in the cluster will be made schedulable, + so that workload pods can run on them. The default value for this field is false, + meaning none of the master nodes are schedulable. + Important Note: Once the workload pods start running on the master nodes, + extreme care must be taken to ensure that cluster-critical control plane components + are not impacted. + Please turn on this field after doing due diligence. + type: boolean + policy: + description: |- + DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. + policy is a reference to a ConfigMap containing scheduler policy which has + user specified predicates and priorities. If this ConfigMap is not available + scheduler will default to use DefaultAlgorithmProvider. + The namespace for this configmap is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + profile: + description: |- + profile sets which scheduling profile should be set in order to configure scheduling + decisions for new pods. + + + Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" + Defaults to "LowNodeUtilization" + enum: + - "" + - LowNodeUtilization + - HighNodeUtilization + - NoScoring + type: string + profileCustomizations: + description: profileCustomizations contains configuration + for modifying the default behavior of existing scheduler + profiles. + properties: + dynamicResourceAllocation: + description: |- + dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. + Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. + Third-party resource drivers are responsible for tracking and allocating resources. + Different kinds of resources support arbitrary parameters for defining requirements and initialization. + Valid values are Enabled, Disabled and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, + which is subject to change over time. + The current default is Disabled. + enum: + - "" + - Enabled + - Disabled + type: string + type: object + type: object + type: object + controlPlaneRelease: + description: |- + ControlPlaneRelease specifies the desired OCP release payload for + control plane components running on the management cluster. + Updating this field will trigger a rollout of the control plane. The + behavior of the rollout will be driven by the ControllerAvailabilityPolicy + and InfrastructureAvailabilityPolicy. + If not defined, Release is used + properties: + image: + description: Image is the image pullspec of an OCP release payload + image. + pattern: ^(\w+\S+)$ + type: string + required: + - image + type: object + controllerAvailabilityPolicy: + default: HighlyAvailable + description: |- + ControllerAvailabilityPolicy specifies the availability policy applied to + critical control plane components. The default value is HighlyAvailable. + type: string + dns: + description: DNS specifies DNS configuration for the cluster. + properties: + baseDomain: + description: BaseDomain is the base domain of the cluster. + type: string + baseDomainPrefix: + description: |- + BaseDomainPrefix is the base domain prefix of the cluster. + defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. + type: string + privateZoneID: + description: |- + PrivateZoneID is the Hosted Zone ID where all the DNS records that are only + available internally to the cluster exist. + type: string + publicZoneID: + description: |- + PublicZoneID is the Hosted Zone ID where all the DNS records that are + publicly accessible to the internet exist. + type: string + required: + - baseDomain + type: object + etcd: + default: + managed: + storage: + persistentVolume: + size: 8Gi + type: PersistentVolume + managementType: Managed + description: |- + Etcd specifies configuration for the control plane etcd cluster. The + default ManagementType is Managed. Once set, the ManagementType cannot be + changed. + properties: + managed: + description: Managed specifies the behavior of an etcd cluster + managed by HyperShift. + properties: + storage: + description: Storage specifies how etcd data is persisted. + properties: + persistentVolume: + description: |- + PersistentVolume is the configuration for PersistentVolume etcd storage. + With this implementation, a PersistentVolume will be allocated for every + etcd member (either 1 or 3 depending on the HostedCluster control plane + availability configuration). + properties: + size: + anyOf: + - type: integer + - type: string + default: 8Gi + description: Size is the minimum size of the data + volume for each etcd member. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: Etcd PV storage size is immutable + rule: self == oldSelf + storageClassName: + description: |- + StorageClassName is the StorageClass of the data volume for each etcd member. + + + See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. + type: string + type: object + restoreSnapshotURL: + description: |- + RestoreSnapshotURL allows an optional URL to be provided where + an etcd snapshot can be downloaded, for example a pre-signed URL + referencing a storage service. + This snapshot will be restored on initial startup, only when the etcd PV + is empty. + items: + type: string + type: array + x-kubernetes-validations: + - message: RestoreSnapshotURL shouldn't contain more than + 1 entry + rule: self.size() <= 1 + type: + description: Type is the kind of persistent storage implementation + to use for etcd. + enum: + - PersistentVolume + type: string + required: + - type + type: object + required: + - storage + type: object + managementType: + description: ManagementType defines how the etcd cluster is managed. + enum: + - Managed + - Unmanaged + type: string + unmanaged: + description: |- + Unmanaged specifies configuration which enables the control plane to + integrate with an eternally managed etcd cluster. + properties: + endpoint: + description: |- + Endpoint is the full etcd cluster client endpoint URL. For example: + + + https://etcd-client:2379 + + + If the URL uses an HTTPS scheme, the TLS field is required. + pattern: ^https:// + type: string + tls: + description: TLS specifies TLS configuration for HTTPS etcd + client endpoints. + properties: + clientSecret: + description: |- + ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It + may have the following key/value pairs: + + + etcd-client-ca.crt: Certificate Authority value + etcd-client.crt: Client certificate value + etcd-client.key: Client certificate key value + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + required: + - clientSecret + type: object + required: + - endpoint + - tls + type: object + required: + - managementType + type: object + fips: + description: |- + FIPS indicates whether this cluster's nodes will be running in FIPS mode. + If set to true, the control plane's ignition server will be configured to + expect that nodes joining the cluster will be FIPS-enabled. + type: boolean + imageContentSources: + description: |- + ImageContentSources specifies image mirrors that can be used by cluster + nodes to pull content. + items: + description: |- + ImageContentSource specifies image mirrors that can be used by cluster nodes + to pull content. For cluster workloads, if a container image registry host of + the pullspec matches Source then one of the Mirrors are substituted as hosts + in the pullspec and tried in order to fetch the image. + properties: + mirrors: + description: Mirrors are one or more repositories that may also + contain the same images. + items: + type: string + type: array + source: + description: |- + Source is the repository that users refer to, e.g. in image pull + specifications. + type: string + required: + - source + type: object + type: array + infraID: + description: |- + InfraID is a globally unique identifier for the cluster. This identifier + will be used to associate various cloud resources with the HostedCluster + and its associated NodePools. + type: string + infrastructureAvailabilityPolicy: + default: SingleReplica + description: |- + InfrastructureAvailabilityPolicy specifies the availability policy applied + to infrastructure services which run on cluster nodes. The default value is + SingleReplica. + type: string + issuerURL: + default: https://kubernetes.default.svc + description: |- + IssuerURL is an OIDC issuer URL which is used as the issuer in all + ServiceAccount tokens generated by the control plane API server. The + default value is kubernetes.default.svc, which only works for in-cluster + validation. + format: uri + type: string + networking: + default: + clusterNetwork: + - cidr: 10.132.0.0/14 + networkType: OVNKubernetes + serviceNetwork: + - cidr: 172.31.0.0/16 + description: Networking specifies network configuration for the cluster. + properties: + apiServer: + description: |- + APIServer contains advanced network settings for the API server that affect + how the APIServer is exposed inside a cluster node. + properties: + advertiseAddress: + description: |- + AdvertiseAddress is the address that nodes will use to talk to the API + server. This is an address associated with the loopback adapter of each + node. If not specified, the controller will take default values. + The default values will be set as 172.20.0.1 or fd00::1. + type: string + allowedCIDRBlocks: + description: |- + AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer + If not specified, traffic is allowed from all addresses. + This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges + items: + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ + type: string + type: array + port: + description: |- + Port is the port at which the APIServer is exposed inside a node. Other + pods using host networking cannot listen on this port. + If unset 6443 is used. + This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. + Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. + Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. + format: int32 + type: integer + type: object + clusterNetwork: + default: + - cidr: 10.132.0.0/14 + description: ClusterNetwork is the list of IP address pools for + pods. + items: + description: |- + ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks + are allocated with size 2^HostSubnetLength. + properties: + cidr: + description: CIDR is the IP block address pool. + type: string + hostPrefix: + description: |- + HostPrefix is the prefix size to allocate to each node from the CIDR. + For example, 24 would allocate 2^8=256 adresses to each node. If this + field is not used by the plugin, it can be left unset. + format: int32 + type: integer + required: + - cidr + type: object + type: array + machineNetwork: + description: MachineNetwork is the list of IP address pools for + machines. + items: + description: MachineNetworkEntry is a single IP address block + for node IP blocks. + properties: + cidr: + description: CIDR is the IP block address pool for machines + within the cluster. + type: string + required: + - cidr + type: object + type: array + networkType: + default: OVNKubernetes + description: NetworkType specifies the SDN provider used for cluster + networking. + enum: + - OpenShiftSDN + - Calico + - OVNKubernetes + - Other + type: string + serviceNetwork: + default: + - cidr: 172.31.0.0/16 + description: |- + ServiceNetwork is the list of IP address pools for services. + NOTE: currently only one entry is supported. + items: + description: ServiceNetworkEntry is a single IP address block + for the service network. + properties: + cidr: + description: CIDR is the IP block address pool for services + within the cluster. + type: string + required: + - cidr + type: object + type: array + required: + - clusterNetwork + - networkType + type: object + nodeSelector: + additionalProperties: + type: string + description: NodeSelector when specified, must be true for the pods + managed by the HostedCluster to be scheduled. + type: object + olmCatalogPlacement: + default: management + description: |- + OLMCatalogPlacement specifies the placement of OLM catalog components. By default, + this is set to management and OLM catalog components are deployed onto the management + cluster. If set to guest, the OLM catalog components will be deployed onto the guest + cluster. + enum: + - management + - guest + type: string + x-kubernetes-validations: + - message: OLMCatalogPlacement is immutable + rule: self == oldSelf + pausedUntil: + description: |- + PausedUntil is a field that can be used to pause reconciliation on a resource. + Either a date can be provided in RFC3339 format or a boolean. If a date is + provided: reconciliation is paused on the resource until that date. If the boolean true is + provided: reconciliation is paused on the resource until the field is removed. + type: string + platform: + description: |- + Platform specifies the underlying infrastructure provider for the cluster + and is used to configure platform specific behavior. + properties: + agent: + description: Agent specifies configuration for agent-based installations. + properties: + agentNamespace: + description: AgentNamespace is the namespace where to search + for Agents for this cluster + type: string + required: + - agentNamespace + type: object + aws: + description: AWS specifies configuration for clusters running + on Amazon Web Services. + properties: + additionalAllowedPrincipals: + description: |- + AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs + to be added to the hosted control plane's VPC Endpoint Service to enable additional + VPC Endpoint connection requests to be automatically accepted. + See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html + for more details around VPC Endpoint Service allowed principals. + items: + type: string + type: array + cloudProviderConfig: + description: |- + CloudProviderConfig specifies AWS networking configuration for the control + plane. + This is mainly used for cloud provider controller config: + https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 + TODO(dan): should this be named AWSNetworkConfig? + properties: + subnet: + description: Subnet is the subnet to use for control plane + cloud resources. + properties: + filters: + description: |- + Filters is a set of key/value pairs used to identify a resource + They are applied according to the rules defined by the AWS API: + https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html + items: + description: Filter is a filter used to identify + an AWS resource + properties: + name: + description: Name of the filter. Filter names + are case-sensitive. + type: string + values: + description: Values includes one or more filter + values. Filter values are case-sensitive. + items: + type: string + type: array + required: + - name + - values + type: object + type: array + id: + description: ID of resource + type: string + type: object + vpc: + description: VPC is the VPC to use for control plane cloud + resources. + type: string + zone: + description: |- + Zone is the availability zone where control plane cloud resources are + created. + type: string + required: + - vpc + type: object + endpointAccess: + default: Public + description: |- + EndpointAccess specifies the publishing scope of cluster endpoints. The + default is Public. + enum: + - Public + - PublicAndPrivate + - Private + type: string + multiArch: + default: false + description: |- + MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different + CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. + type: boolean + region: + description: |- + Region is the AWS region in which the cluster resides. This configures the + OCP control plane cloud integrations, and is used by NodePool to resolve + the correct boot AMI for a given release. + type: string + resourceTags: + description: |- + ResourceTags is a list of additional tags to apply to AWS resources created + for the cluster. See + https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for + information on tagging AWS resources. AWS supports a maximum of 50 tags per + resource. OpenShift reserves 25 tags for its use, leaving 25 tags available + for the user. + items: + description: AWSResourceTag is a tag to apply to AWS resources + created for the cluster. + properties: + key: + description: Key is the key of the tag. + maxLength: 128 + minLength: 1 + pattern: ^[0-9A-Za-z_.:/=+-@]+$ + type: string + value: + description: |- + Value is the value of the tag. + + + Some AWS service do not support empty values. Since tags are added to + resources in many services, the length of the tag value must meet the + requirements of all services. + maxLength: 256 + minLength: 1 + pattern: ^[0-9A-Za-z_.:/=+-@]+$ + type: string + required: + - key + - value + type: object + maxItems: 25 + type: array + rolesRef: + description: |- + RolesRef contains references to various AWS IAM roles required to enable + integrations such as OIDC. + properties: + controlPlaneOperatorARN: + description: "ControlPlaneOperatorARN is an ARN value + referencing a role appropriate for the Control Plane + Operator.\n\n\nThe following is an example of a valid + policy document:\n\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": + [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": + [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": + [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": + \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" + type: string + imageRegistryARN: + description: "ImageRegistryARN is an ARN value referencing + a role appropriate for the Image Registry Operator.\n\n\nThe + following is an example of a valid policy document:\n\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t}\n\t]\n}" + type: string + ingressARN: + description: "The referenced role must have a trust relationship + that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": + \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": + \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": + \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": + {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName + }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\n\nIngressARN + is an ARN value referencing a role appropriate for the + Ingress Operator.\n\n\nThe following is an example of + a valid policy document:\n\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": + [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": + [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": + [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": + [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" + type: string + kubeCloudControllerARN: + description: |- + KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. + Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies + + + The following is an example of a valid policy document: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeTags", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstances", + "ec2:DescribeImages", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress", + "ec2:DescribeVpcs", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancerPolicies", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:CreateServiceLinkedRole", + "kms:DescribeKey" + ], + "Resource": [ + "*" + ], + "Effect": "Allow" + } + ] + } + type: string + networkARN: + description: "NetworkARN is an ARN value referencing a + role appropriate for the Network Operator.\n\n\nThe + following is an example of a valid policy document:\n\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n + \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n + \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n + \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n + \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t}\n\t]\n}" + type: string + nodePoolManagementARN: + description: "NodePoolManagementARN is an ARN value referencing + a role appropriate for the CAPI Controller.\n\n\nThe + following is an example of a valid policy document:\n\n\n{\n + \ \"Version\": \"2012-10-17\",\n \"Statement\": [\n + \ {\n \"Action\": [\n \"ec2:AssociateRouteTable\",\n + \ \"ec2:AttachInternetGateway\",\n \"ec2:AuthorizeSecurityGroupIngress\",\n + \ \"ec2:CreateInternetGateway\",\n \"ec2:CreateNatGateway\",\n + \ \"ec2:CreateRoute\",\n \"ec2:CreateRouteTable\",\n + \ \"ec2:CreateSecurityGroup\",\n \"ec2:CreateSubnet\",\n + \ \"ec2:CreateTags\",\n \"ec2:DeleteInternetGateway\",\n + \ \"ec2:DeleteNatGateway\",\n \"ec2:DeleteRouteTable\",\n + \ \"ec2:DeleteSecurityGroup\",\n \"ec2:DeleteSubnet\",\n + \ \"ec2:DeleteTags\",\n \"ec2:DescribeAccountAttributes\",\n + \ \"ec2:DescribeAddresses\",\n \"ec2:DescribeAvailabilityZones\",\n + \ \"ec2:DescribeImages\",\n \"ec2:DescribeInstances\",\n + \ \"ec2:DescribeInternetGateways\",\n \"ec2:DescribeNatGateways\",\n + \ \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DescribeNetworkInterfaceAttribute\",\n + \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n + \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n + \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n + \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n + \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n + \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n + \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n + \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n + \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n + \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n + \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n + \ ],\n \"Resource\": [\n \"*\"\n ],\n + \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": + {\n \"StringLike\": {\n \"iam:AWSServiceName\": + \"elasticloadbalancing.amazonaws.com\"\n }\n },\n + \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n + \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n + \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": + [\n \"iam:PassRole\"\n ],\n \"Resource\": + [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n + \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": + \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t + \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t + \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": + \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t + \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t + \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t + \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": + true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" + type: string + storageARN: + description: "StorageARN is an ARN value referencing a + role appropriate for the Storage Operator.\n\n\nThe + following is an example of a valid policy document:\n\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t}\n\t]\n}" + type: string + required: + - controlPlaneOperatorARN + - imageRegistryARN + - ingressARN + - kubeCloudControllerARN + - networkARN + - nodePoolManagementARN + - storageARN + type: object + serviceEndpoints: + description: |- + ServiceEndpoints specifies optional custom endpoints which will override + the default service endpoint of specific AWS Services. + + + There must be only one ServiceEndpoint for a given service name. + items: + description: |- + AWSServiceEndpoint stores the configuration for services to + override existing defaults of AWS Services. + properties: + name: + description: |- + Name is the name of the AWS service. + This must be provided and cannot be empty. + type: string + url: + description: |- + URL is fully qualified URI with scheme https, that overrides the default generated + endpoint for a client. + This must be provided and cannot be empty. + pattern: ^https:// + type: string + required: + - name + - url + type: object + type: array + sharedVPC: + description: |- + SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is + created in a different AWS account and is shared with the AWS account where the HostedCluster + will be created. + properties: + localZoneID: + description: |- + LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is + associated with the HostedCluster's VPC and exists in the VPC owner account. + maxLength: 32 + type: string + rolesRef: + description: |- + RolesRef contains references to roles in the VPC owner account that enable a + HostedCluster on a shared VPC. + properties: + controlPlaneARN: + description: "ControlPlaneARN is an ARN value referencing + the role in the VPC owner account that allows\nthe + control plane operator in the cluster account to + create and manage a VPC endpoint, its\ncorresponding + Security Group, and DNS records in the hypershift + local hosted zone.\n\n\nThe referenced role must + have a trust relationship that allows it to be assumed + by the\ncontrol plane operator role in the VPC creator + account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t + \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t + \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": + {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t + \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t + \t}\n\t ]\n}\n\n\nThe following is an example of + the policy document for this role.\n\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t}\n\t]\n}" + pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ + type: string + ingressARN: + description: "IngressARN is an ARN value referencing + the role in the VPC owner account that allows the\ningress + operator in the cluster account to create and manage + records in the private DNS\nhosted zone.\n\n\nThe + referenced role must have a trust relationship that + allows it to be assumed by the\ningress operator + role in the VPC creator account.\nExample:\n{\n\t + \"Version\": \"2012-10-17\",\n\t \"Statement\": + [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": + \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": + \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t + \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t + \t}\n\t ]\n}\n\n\nThe following is an example of + the policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t},\n\t]\n}" + pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ + type: string + required: + - controlPlaneARN + - ingressARN + type: object + required: + - localZoneID + - rolesRef + type: object + required: + - region + - rolesRef + type: object + azure: + description: Azure defines azure specific settings + properties: + cloud: + default: AzurePublicCloud + description: 'Cloud is the cloud environment identifier, valid + values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' + enum: + - AzurePublicCloud + - AzureUSGovernmentCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureStackCloud + type: string + credentials: + description: |- + Credentials is the object containing existing Azure credentials needed for creating and managing cloud + infrastructure resources. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + location: + description: |- + Location is the Azure region in where all the cloud infrastructure resources will be created. + + + Example: eastus + type: string + x-kubernetes-validations: + - message: Location is immutable + rule: self == oldSelf + resourceGroup: + default: default + description: |- + ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted + Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. + + + In ARO HCP, this will be the managed resource group where customer cloud resources will be created. + + + Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. + + + Example: if your resource group ID is /subscriptions//resourceGroups/, your + ResourceGroupName is . + pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ + type: string + x-kubernetes-validations: + - message: ResourceGroupName is immutable + rule: self == oldSelf + securityGroupID: + description: |- + SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the + configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is + expected to exist under the same subscription as SubscriptionID. + type: string + x-kubernetes-validations: + - message: SecurityGroupID is immutable + rule: self == oldSelf + subnetID: + description: |- + SubnetID is the subnet ID of an existing subnet where the load balancer for node egress will be created. This + subnet is expected to be a subnet within the VNET specified in VnetID. This subnet is expected to exist under the + same subscription as SubscriptionID. + + + In ARO HCP, managed services will create the aforementioned load balancer in ResourceGroupName. + type: string + x-kubernetes-validations: + - message: SubnetID is immutable + rule: self == oldSelf + subscriptionID: + description: SubscriptionID is a unique identifier for an + Azure subscription used to manage resources. + type: string + x-kubernetes-validations: + - message: SubscriptionID is immutable + rule: self == oldSelf + vnetID: + description: |- + VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group + other than the one specified in ResourceGroupName, but it must exist under the same subscription as + SubscriptionID. + + + In ARO HCP, this will be the ID of the customer provided VNET. + + + Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ + type: string + x-kubernetes-validations: + - message: VnetID is immutable + rule: self == oldSelf + required: + - credentials + - location + - resourceGroup + - subnetID + - subscriptionID + type: object + ibmcloud: + description: IBMCloud defines IBMCloud specific settings for components + properties: + providerType: + description: ProviderType is a specific supported infrastructure + provider within IBM Cloud. + type: string + type: object + kubevirt: + description: KubeVirt defines KubeVirt specific settings for cluster + components. + properties: + baseDomainPassthrough: + description: |- + BaseDomainPassthrough toggles whether or not an automatically + generated base domain for the guest cluster should be used that + is a subdomain of the management cluster's *.apps DNS. + + + For the KubeVirt platform, the basedomain can be autogenerated using + the *.apps domain of the management/infra hosting cluster + This makes the guest cluster's base domain a subdomain of the + hypershift infra/mgmt cluster's base domain. + + + Example: + Infra/Mgmt cluster's DNS + Base: example.com + Cluster: mgmt-cluster.example.com + Apps: *.apps.mgmt-cluster.example.com + KubeVirt Guest cluster's DNS + Base: apps.mgmt-cluster.example.com + Cluster: guest.apps.mgmt-cluster.example.com + Apps: *.apps.guest.apps.mgmt-cluster.example.com + + + This is possible using OCP wildcard routes + type: boolean + x-kubernetes-validations: + - message: baseDomainPassthrough is immutable + rule: self == oldSelf + credentials: + description: |- + Credentials defines the client credentials used when creating KubeVirt virtual machines. + Defining credentials is only necessary when the KubeVirt virtual machines are being placed + on a cluster separate from the one hosting the Hosted Control Plane components. + + + The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on + the same cluster and namespace as the Hosted Control Plane. + properties: + infraKubeConfigSecret: + description: |- + InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster + that will be used to host the KubeVirt virtual machines for this cluster. + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + x-kubernetes-validations: + - message: infraKubeConfigSecret is immutable + rule: self == oldSelf + infraNamespace: + description: |- + InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt + virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig + referenced in the InfraKubeConfigSecret must have access to manage the required resources within this + namespace. + type: string + x-kubernetes-validations: + - message: infraNamespace is immutable + rule: self == oldSelf + required: + - infraNamespace + type: object + generateID: + description: |- + GenerateID is used to uniquely apply a name suffix to resources associated with + kubevirt infrastructure resources + maxLength: 11 + type: string + x-kubernetes-validations: + - message: Kubevirt GenerateID is immutable once set + rule: self == oldSelf + storageDriver: + description: |- + StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on + the infra cluster (hosting the VMs) to the guest cluster. + properties: + manual: + description: |- + Manual is used to explicilty define how the infra storageclasses are + mapped to guest storageclasses + properties: + storageClassMapping: + description: |- + StorageClassMapping maps StorageClasses on the infra cluster hosting + the KubeVirt VMs to StorageClasses that are made available within the + Guest Cluster. + + + NOTE: It is possible that not all capablities of an infra cluster's + storageclass will be present for the corresponding guest clusters storageclass. + items: + properties: + group: + description: Group contains which group this + mapping belongs to. + type: string + guestStorageClassName: + description: |- + GuestStorageClassName is the name that the corresponding storageclass will + be called within the guest cluster + type: string + infraStorageClassName: + description: |- + InfraStorageClassName is the name of the infra cluster storage class that + will be exposed to the guest. + type: string + required: + - guestStorageClassName + - infraStorageClassName + type: object + type: array + x-kubernetes-validations: + - message: storageClassMapping is immutable + rule: self == oldSelf + volumeSnapshotClassMapping: + items: + properties: + group: + description: Group contains which group this + mapping belongs to. + type: string + guestVolumeSnapshotClassName: + description: |- + GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will + be called within the guest cluster + type: string + infraVolumeSnapshotClassName: + description: |- + InfraStorageClassName is the name of the infra cluster volume snapshot class that + will be exposed to the guest. + type: string + required: + - guestVolumeSnapshotClassName + - infraVolumeSnapshotClassName + type: object + type: array + x-kubernetes-validations: + - message: volumeSnapshotClassMapping is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: storageDriver.Manual is immutable + rule: self == oldSelf + type: + default: Default + description: Type represents the type of kubevirt csi + driver configuration to use + enum: + - None + - Default + - Manual + type: string + x-kubernetes-validations: + - message: storageDriver.Type is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: storageDriver is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: Kubevirt GenerateID is required once set + rule: '!has(oldSelf.generateID) || has(self.generateID)' + openstack: + description: OpenStack specifies configuration for clusters running + on OpenStack. + properties: + disableExternalNetwork: + description: |- + DisableExternalNetwork specifies whether or not to attempt to connect the cluster + to an external network. This allows for the creation of clusters when connecting + to an external network is not possible or desirable, e.g. if using a provider network. + type: boolean + externalNetwork: + description: |- + ExternalNetwork is the OpenStack Network to be used to get public internet to the VMs. + This option is ignored if DisableExternalNetwork is set to true. + + + If ExternalNetwork is defined it must refer to exactly one external network. + + + If ExternalNetwork is not defined or is empty the controller will use any + existing external network as long as there is only one. It is an + error if ExternalNetwork is not defined and there are multiple + external networks unless DisableExternalNetwork is also set. + + + If ExternalNetwork is not defined and there are no external networks + the controller will proceed as though DisableExternalNetwork was set. + maxProperties: 1 + minProperties: 1 + properties: + filter: + description: Filter specifies a filter to select an OpenStack + network. If provided, cannot be empty. + minProperties: 1 + properties: + description: + description: Description is the description of the + network to filter by. + type: string + name: + description: Name is the name of the network to filter + by. + type: string + notTags: + description: |- + NotTags is a list of tags to filter by. If specified, resources which + contain all of the given tags will be excluded from the result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + notTagsAny: + description: |- + NotTagsAny is a list of tags to filter by. If specified, resources + which contain any of the given tags will be excluded from the result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + projectID: + description: ProjectID is the project ID of the network + to filter by. + type: string + tags: + description: |- + Tags is a list of tags to filter by. If specified, the resource must + have all of the tags specified to be included in the result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + tagsAny: + description: |- + TagsAny is a list of tags to filter by. If specified, the resource + must have at least one of the tags specified to be included in the + result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + type: object + id: + description: ID is the ID of the network to use. If ID + is provided, the other filters cannot be provided. Must + be in UUID format. + format: uuid + type: string + type: object + identityRef: + description: |- + IdentityRef is a reference to a secret holding OpenStack credentials + to be used when reconciling the hosted cluster. + properties: + cloudName: + description: CloudName specifies the name of the entry + in the clouds.yaml file to use. + type: string + name: + description: |- + Name is the name of a secret in the same namespace as the resource being provisioned. + The secret must contain a key named `clouds.yaml` which contains an OpenStack clouds.yaml file. + The secret may optionally contain a key named `cacert` containing a PEM-encoded CA certificate. + type: string + required: + - cloudName + - name + type: object + managedSubnets: + description: |- + ManagedSubnets describe the OpenStack Subnet to be created. Cluster actuator will create a network, + and a subnet with the defined DNSNameservers, AllocationPools and the CIDR defined in the HostedCluster + MachineNetwork, and a router connected to the subnet. Currently only one IPv4 + subnet is supported. + items: + properties: + allocationPools: + description: |- + AllocationPools is an array of AllocationPool objects that will be applied to OpenStack Subnet being created. + If set, OpenStack will only allocate these IPs for Machines. It will still be possible to create ports from + outside of these ranges manually. + items: + properties: + end: + description: End represents the end of the AlloctionPool, + that is the highest IP of the pool. + type: string + start: + description: Start represents the start of the + AllocationPool, that is the lowest IP of the + pool. + type: string + required: + - end + - start + type: object + type: array + dnsNameservers: + description: |- + DNSNameservers holds a list of DNS server addresses that will be provided when creating + the subnet. These addresses need to have the same IP version as CIDR. + items: + type: string + type: array + type: object + maxItems: 1 + type: array + x-kubernetes-list-type: atomic + network: + description: |- + Network specifies an existing network to use if no ManagedSubnets + are specified. + maxProperties: 1 + minProperties: 1 + properties: + filter: + description: Filter specifies a filter to select an OpenStack + network. If provided, cannot be empty. + minProperties: 1 + properties: + description: + description: Description is the description of the + network to filter by. + type: string + name: + description: Name is the name of the network to filter + by. + type: string + notTags: + description: |- + NotTags is a list of tags to filter by. If specified, resources which + contain all of the given tags will be excluded from the result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + notTagsAny: + description: |- + NotTagsAny is a list of tags to filter by. If specified, resources + which contain any of the given tags will be excluded from the result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + projectID: + description: ProjectID is the project ID of the network + to filter by. + type: string + tags: + description: |- + Tags is a list of tags to filter by. If specified, the resource must + have all of the tags specified to be included in the result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + tagsAny: + description: |- + TagsAny is a list of tags to filter by. If specified, the resource + must have at least one of the tags specified to be included in the + result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + type: object + id: + description: ID is the ID of the network to use. If ID + is provided, the other filters cannot be provided. Must + be in UUID format. + format: uuid + type: string + type: object + networkMTU: + description: |- + NetworkMTU sets the maximum transmission unit (MTU) value to address fragmentation for the private network ID. + This value will be used only if the Cluster actuator creates the network. + If left empty, the network will have the default MTU defined in Openstack network service. + To use this field, the Openstack installation requires the net-mtu neutron API extension. + type: integer + router: + description: |- + Router specifies an existing router to be used if ManagedSubnets are + specified. If specified, no new router will be created. + maxProperties: 1 + minProperties: 1 + properties: + filter: + description: Filter specifies a filter to select an OpenStack + router. If provided, cannot be empty. + minProperties: 1 + properties: + description: + description: Description is the description of the + router to filter by. + type: string + name: + description: Name is the name of the router to filter + by. + type: string + notTags: + description: |- + NotTags is a list of tags to filter by. If specified, resources which + contain all of the given tags will be excluded from the result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + notTagsAny: + description: |- + NotTagsAny is a list of tags to filter by. If specified, resources + which contain any of the given tags will be excluded from the result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + projectID: + description: ProjectID is the project ID of the router + to filter by. + type: string + tags: + description: |- + Tags is a list of tags to filter by. If specified, the resource must + have all of the tags specified to be included in the result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + tagsAny: + description: |- + TagsAny is a list of tags to filter by. If specified, the resource + must have at least one of the tags specified to be included in the + result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + type: object + id: + description: ID is the ID of the router to use. If ID + is provided, the other filters cannot be provided. Must + be in UUID format. + format: uuid + type: string + type: object + subnets: + description: |- + Subnets specifies existing subnets to use if not ManagedSubnets are + specified. All subnets must be in the network specified by Network. + There can be zero, one, or two subnets. If no subnets are specified, + all subnets in Network will be used. If 2 subnets are specified, one + must be IPv4 and the other IPv6. + items: + description: SubnetParam specifies an OpenStack subnet to + use. It may be specified by either ID or filter, but not + both. + maxProperties: 1 + minProperties: 1 + properties: + filter: + description: Filter specifies a filter to select the + subnet. It must match exactly one subnet. + minProperties: 1 + properties: + cidr: + description: CIDR is the CIDR of the subnet to filter + by. + type: string + description: + description: Description is the description of the + subnet to filter by. + type: string + gatewayIP: + description: GatewayIP is the gateway IP of the + subnet to filter by. + type: string + ipVersion: + description: IPVersion is the IP version of the + subnet to filter by. + type: integer + ipv6AddressMode: + description: IPv6AddressMode is the IPv6 address + mode of the subnet to filter by. + type: string + ipv6RAMode: + description: IPv6RAMode is the IPv6 RA mode of the + subnet to filter by. + type: string + name: + description: Name is the name of the subnet to filter + by. + type: string + notTags: + description: |- + NotTags is a list of tags to filter by. If specified, resources which + contain all of the given tags will be excluded from the result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + notTagsAny: + description: |- + NotTagsAny is a list of tags to filter by. If specified, resources + which contain any of the given tags will be excluded from the result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + projectID: + description: ProjectID is the project ID of the + subnet to filter by. + type: string + tags: + description: |- + Tags is a list of tags to filter by. If specified, the resource must + have all of the tags specified to be included in the result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + tagsAny: + description: |- + TagsAny is a list of tags to filter by. If specified, the resource + must have at least one of the tags specified to be included in the + result. + items: + description: |- + NeutronTag represents a tag on a Neutron resource. + It may not be empty and may not contain commas. + minLength: 1 + pattern: ^[^,]+$ + type: string + type: array + x-kubernetes-list-type: set + type: object + id: + description: ID is the uuid of the subnet. It will not + be validated. + format: uuid + type: string + type: object + maxItems: 2 + type: array + x-kubernetes-list-type: atomic + tags: + description: Tags to set on all resources in cluster which + support tags + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - identityRef + type: object + powervs: + description: |- + PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. + This field is immutable. Once set, It can't be changed. + properties: + accountID: + description: |- + AccountID is the IBMCloud account id. + This field is immutable. Once set, It can't be changed. + type: string + cisInstanceCRN: + description: |- + CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name + This field is immutable. Once set, It can't be changed. + pattern: '^crn:' + type: string + imageRegistryOperatorCloudCreds: + description: |- + ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud + credentials for image registry operator to get authenticated with ibm cloud. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + ingressOperatorCloudCreds: + description: |- + IngressOperatorCloudCreds is a reference to a secret containing ibm cloud + credentials for ingress operator to get authenticated with ibm cloud. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + kubeCloudControllerCreds: + description: |- + KubeCloudControllerCreds is a reference to a secret containing cloud + credentials with permissions matching the cloud controller policy. + This field is immutable. Once set, It can't be changed. + + + TODO(dan): document the "cloud controller policy" + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + nodePoolManagementCreds: + description: |- + NodePoolManagementCreds is a reference to a secret containing cloud + credentials with permissions matching the node pool management policy. + This field is immutable. Once set, It can't be changed. + + + TODO(dan): document the "node pool management policy" + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + region: + description: |- + Region is the IBMCloud region in which the cluster resides. This configures the + OCP control plane cloud integrations, and is used by NodePool to resolve + the correct boot image for a given release. + This field is immutable. Once set, It can't be changed. + type: string + resourceGroup: + description: |- + ResourceGroup is the IBMCloud Resource Group in which the cluster resides. + This field is immutable. Once set, It can't be changed. + type: string + serviceInstanceID: + description: |- + ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. + Power VS service is a container for all Power VS instances at a specific geographic region. + serviceInstance can be created via IBM Cloud catalog or CLI. + ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. + + + More detail about Power VS service instance. + https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server + + + This field is immutable. Once set, It can't be changed. + type: string + storageOperatorCloudCreds: + description: |- + StorageOperatorCloudCreds is a reference to a secret containing ibm cloud + credentials for storage operator to get authenticated with ibm cloud. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + subnet: + description: |- + Subnet is the subnet to use for control plane cloud resources. + This field is immutable. Once set, It can't be changed. + properties: + id: + description: ID of resource + type: string + name: + description: Name of resource + type: string + type: object + vpc: + description: |- + VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control + plane. + This field is immutable. Once set, It can't be changed. + properties: + name: + description: |- + Name for VPC to used for all the service load balancer. + This field is immutable. Once set, It can't be changed. + type: string + region: + description: |- + Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic + into the OCP cluster. + This field is immutable. Once set, It can't be changed. + type: string + subnet: + description: |- + Subnet is the subnet to use for load balancer. + This field is immutable. Once set, It can't be changed. + type: string + zone: + description: |- + Zone is the availability zone where load balancer cloud resources are + created. + This field is immutable. Once set, It can't be changed. + type: string + required: + - name + - region + type: object + zone: + description: |- + Zone is the availability zone where control plane cloud resources are + created. + This field is immutable. Once set, It can't be changed. + type: string + required: + - accountID + - cisInstanceCRN + - imageRegistryOperatorCloudCreds + - ingressOperatorCloudCreds + - kubeCloudControllerCreds + - nodePoolManagementCreds + - region + - resourceGroup + - serviceInstanceID + - storageOperatorCloudCreds + - subnet + - vpc + - zone + type: object + type: + description: Type is the type of infrastructure provider for the + cluster. + enum: + - AWS + - None + - IBMCloud + - Agent + - KubeVirt + - Azure + - PowerVS + - OpenStack + type: string + required: + - type + type: object + pullSecret: + description: |- + PullSecret references a pull secret to be injected into the container + runtime of all cluster nodes. The secret must have a key named + ".dockerconfigjson" whose value is the pull secret JSON. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + release: + description: |- + Release specifies the desired OCP release payload for the hosted cluster. + + + Updating this field will trigger a rollout of the control plane. The + behavior of the rollout will be driven by the ControllerAvailabilityPolicy + and InfrastructureAvailabilityPolicy. + properties: + image: + description: Image is the image pullspec of an OCP release payload + image. + pattern: ^(\w+\S+)$ + type: string + required: + - image + type: object + secretEncryption: + description: |- + SecretEncryption specifies a Kubernetes secret encryption strategy for the + control plane. + properties: + aescbc: + description: AESCBC defines metadata about the AESCBC secret encryption + strategy + properties: + activeKey: + description: ActiveKey defines the active key used to encrypt + new secrets + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + backupKey: + description: |- + BackupKey defines the old key during the rotation process so previously created + secrets can continue to be decrypted until they are all re-encrypted with the active key. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + required: + - activeKey + type: object + kms: + description: KMS defines metadata about the kms secret encryption + strategy + properties: + aws: + description: AWS defines metadata about the configuration + of the AWS KMS Secret Encryption provider + properties: + activeKey: + description: ActiveKey defines the active key used to + encrypt new secrets + properties: + arn: + description: ARN is the Amazon Resource Name for the + encryption key + pattern: '^arn:' + type: string + required: + - arn + type: object + auth: + description: Auth defines metadata about the management + of credentials used to interact with AWS KMS + properties: + awsKms: + description: "The referenced role must have a trust + relationship that allows it to be assumed via web + identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": + \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": + \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": + \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": + {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ + .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\n\nAWSKMSARN + is an ARN value referencing a role appropriate for + managing the auth via the AWS KMS key.\n\n\nThe + following is an example of a valid policy document:\n\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": + %q\n\t\t}\n\t]\n}" + type: string + required: + - awsKms + type: object + backupKey: + description: |- + BackupKey defines the old key during the rotation process so previously created + secrets can continue to be decrypted until they are all re-encrypted with the active key. + properties: + arn: + description: ARN is the Amazon Resource Name for the + encryption key + pattern: '^arn:' + type: string + required: + - arn + type: object + region: + description: Region contains the AWS region + type: string + required: + - activeKey + - auth + - region + type: object + azure: + description: Azure defines metadata about the configuration + of the Azure KMS Secret Encryption provider using Azure + key vault + properties: + activeKey: + description: ActiveKey defines the active key used to + encrypt new secrets + properties: + keyName: + description: KeyName is the name of the keyvault key + used for encrypt/decrypt + type: string + keyVaultName: + description: |- + KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name + Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: + `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` + type: string + keyVersion: + description: KeyVersion contains the version of the + key to use + type: string + required: + - keyName + - keyVaultName + - keyVersion + type: object + backupKey: + description: |- + BackupKey defines the old key during the rotation process so previously created + secrets can continue to be decrypted until they are all re-encrypted with the active key. + properties: + keyName: + description: KeyName is the name of the keyvault key + used for encrypt/decrypt + type: string + keyVaultName: + description: |- + KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name + Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: + `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` + type: string + keyVersion: + description: KeyVersion contains the version of the + key to use + type: string + required: + - keyName + - keyVaultName + - keyVersion + type: object + required: + - activeKey + type: object + ibmcloud: + description: IBMCloud defines metadata for the IBM Cloud KMS + encryption strategy + properties: + auth: + description: Auth defines metadata for how authentication + is done with IBM Cloud KMS + properties: + managed: + description: |- + Managed defines metadata around the service to service authentication strategy for the IBM Cloud + KMS system (all provider managed). + type: object + type: + description: Type defines the IBM Cloud KMS authentication + strategy + enum: + - Managed + - Unmanaged + type: string + unmanaged: + description: Unmanaged defines the auth metadata the + customer provides to interact with IBM Cloud KMS + properties: + credentials: + description: |- + Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to + call IBM Cloud KMS APIs + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + required: + - credentials + type: object + required: + - type + type: object + keyList: + description: KeyList defines the list of keys used for + data encryption + items: + description: IBMCloudKMSKeyEntry defines metadata for + an IBM Cloud KMS encryption key + properties: + correlationID: + description: CorrelationID is an identifier used + to track all api call usage from hypershift + type: string + crkID: + description: CRKID is the customer rook key id + type: string + instanceID: + description: InstanceID is the id for the key protect + instance + type: string + keyVersion: + description: |- + KeyVersion is a unique number associated with the key. The number increments whenever a new + key is enabled for data encryption. + type: integer + url: + description: URL is the url to call key protect + apis over + pattern: ^https:// + type: string + required: + - correlationID + - crkID + - instanceID + - keyVersion + - url + type: object + type: array + region: + description: Region is the IBM Cloud region + type: string + required: + - auth + - keyList + - region + type: object + provider: + description: Provider defines the KMS provider + enum: + - IBMCloud + - AWS + - Azure + type: string + required: + - provider + type: object + type: + description: Type defines the type of kube secret encryption being + used + enum: + - kms + - aescbc + type: string + required: + - type + type: object + serviceAccountSigningKey: + description: |- + ServiceAccountSigningKey is a reference to a secret containing the private key + used by the service account token issuer. The secret is expected to contain + a single key named "key". If not specified, a service account signing key will + be generated automatically for the cluster. When specifying a service account + signing key, a IssuerURL must also be specified. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + services: + description: |- + Services specifies how individual control plane services are published from + the hosting cluster of the control plane. + + + If a given service is not present in this list, it will be exposed publicly + by default. + items: + description: |- + ServicePublishingStrategyMapping specifies how individual control plane + services are published from the hosting cluster of a control plane. + properties: + service: + description: Service identifies the type of service being published. + enum: + - APIServer + - OAuthServer + - OIDC + - Konnectivity + - Ignition + - OVNSbDb + type: string + servicePublishingStrategy: + description: ServicePublishingStrategy specifies how to publish + Service. + properties: + loadBalancer: + description: LoadBalancer configures exposing a service + using a LoadBalancer. + properties: + hostname: + description: Hostname is the name of the DNS record + that will be created pointing to the LoadBalancer. + type: string + type: object + nodePort: + description: NodePort configures exposing a service using + a NodePort. + properties: + address: + description: Address is the host/ip that the NodePort + service is exposed over. + type: string + port: + description: |- + Port is the port of the NodePort service. If <=0, the port is dynamically + assigned when the service is created. + format: int32 + type: integer + required: + - address + type: object + route: + description: Route configures exposing a service using a + Route. + properties: + hostname: + description: Hostname is the name of the DNS record + that will be created pointing to the Route. + type: string + type: object + type: + description: Type is the publishing strategy used for the + service. + enum: + - LoadBalancer + - NodePort + - Route + - None + - S3 + type: string + required: + - type + type: object + required: + - service + - servicePublishingStrategy + type: object + type: array + sshKey: + description: |- + SSHKey references an SSH key to be injected into all cluster node sshd + servers. The secret must have a single key "id_rsa.pub" whose value is the + public part of an SSH key. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + tolerations: + description: Tolerations when specified, define what custome tolerations + are added to the hcp pods. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + updateService: + description: |- + updateService may be used to specify the preferred upstream update service. + By default it will use the appropriate update service for the cluster and region. + type: string + required: + - networking + - platform + - pullSecret + - release + - services + - sshKey + type: object + x-kubernetes-validations: + - message: Services is immutable. Changes might result in unpredictable + and disruptive behavior. + rule: 'self.platform.type != ''IBMCloud'' ? self.services == oldSelf.services + : true' + - message: Azure platform requires APIServer Route service with a hostname + to be defined + rule: 'self.platform.type == ''Azure'' ? self.services.exists(s, s.service + == ''APIServer'' && s.servicePublishingStrategy.type == ''Route'' + && s.servicePublishingStrategy.route.hostname != '''') : true' + - message: Azure platform requires OAuthServer Route service with a hostname + to be defined + rule: 'self.platform.type == ''Azure'' ? self.services.exists(s, s.service + == ''OAuthServer'' && s.servicePublishingStrategy.type == ''Route'' + && s.servicePublishingStrategy.route.hostname != '''') : true' + - message: Azure platform requires Konnectivity Route service with a hostname + to be defined + rule: 'self.platform.type == ''Azure'' ? self.services.exists(s, s.service + == ''Konnectivity'' && s.servicePublishingStrategy.type == ''Route'' + && s.servicePublishingStrategy.route.hostname != '''') : true' + - message: Azure platform requires Ignition Route service with a hostname + to be defined + rule: 'self.platform.type == ''Azure'' ? self.services.exists(s, s.service + == ''Ignition'' && s.servicePublishingStrategy.type == ''Route'' && + s.servicePublishingStrategy.route.hostname != '''') : true' + status: + description: Status is the latest observed status of the HostedCluster. + properties: + conditions: + description: |- + Conditions represents the latest available observations of a control + plane's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controlPlaneEndpoint: + description: |- + ControlPlaneEndpoint contains the endpoint information by which + external clients can access the control plane. This is populated + after the infrastructure is ready. + properties: + host: + description: Host is the hostname on which the API server is serving. + type: string + port: + description: Port is the port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + ignitionEndpoint: + description: |- + IgnitionEndpoint is the endpoint injected in the ign config userdata. + It exposes the config for instances to become kubernetes nodes. + type: string + kubeadminPassword: + description: |- + KubeadminPassword is a reference to the secret that contains the initial + kubeadmin user password for the guest cluster. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + kubeconfig: + description: |- + KubeConfig is a reference to the secret containing the default kubeconfig + for the cluster. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + oauthCallbackURLTemplate: + description: |- + OAuthCallbackURLTemplate contains a template for the URL to use as a callback + for identity providers. The [identity-provider-name] placeholder must be replaced + with the name of an identity provider defined on the HostedCluster. + This is populated after the infrastructure is ready. + type: string + platform: + description: Platform contains platform-specific status of the HostedCluster + properties: + aws: + description: AWSPlatformStatus contains status specific to the + AWS platform + properties: + defaultWorkerSecurityGroupID: + description: |- + DefaultWorkerSecurityGroupID is the ID of a security group created by + the control plane operator. It is always added to worker machines in + addition to any security groups specified in the NodePool. + type: string + type: object + type: object + version: + description: |- + Version is the status of the release version applied to the + HostedCluster. + properties: + availableUpdates: + description: |- + availableUpdates contains updates recommended for this + cluster. Updates which appear in conditionalUpdates but not in + availableUpdates may expose this cluster to known issues. This list + may be empty if no updates are recommended, if the update service + is unavailable, or if an invalid channel has been specified. + items: + description: Release represents an OpenShift release image and + associated metadata. + properties: + channels: + description: |- + channels is the set of Cincinnati channels to which the release + currently belongs. + items: + type: string + type: array + x-kubernetes-list-type: set + image: + description: |- + image is a container image location that contains the update. When this + field is part of spec, image is optional if version is specified and the + availableUpdates field contains a matching version. + type: string + url: + description: |- + url contains information about this release. This URL is set by + the 'url' metadata property on a release or the metadata returned by + the update API and should be displayed as a link in user + interfaces. The URL field may not be set for test or nightly + releases. + type: string + version: + description: |- + version is a semantic version identifying the update version. When this + field is part of spec, version is optional if image is specified. + type: string + type: object + nullable: true + type: array + conditionalUpdates: + description: |- + conditionalUpdates contains the list of updates that may be + recommended for this cluster if it meets specific required + conditions. Consumers interested in the set of updates that are + actually recommended for this cluster should use + availableUpdates. This list may be empty if no updates are + recommended, if the update service is unavailable, or if an empty + or invalid channel has been specified. + items: + description: |- + ConditionalUpdate represents an update which is recommended to some + clusters on the version the current cluster is reconciling, but which + may not be recommended for the current cluster. + properties: + conditions: + description: |- + conditions represents the observations of the conditional update's + current status. Known types are: + * Recommended, for whether the update is recommended for the current cluster. + items: + description: "Condition contains details for one aspect + of the current state of this API Resource.\n---\nThis + struct is intended for direct use as an array at the + field path .status.conditions. For example,\n\n\n\ttype + FooStatus struct{\n\t // Represents the observations + of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t + \ // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t + \ // +listType=map\n\t // +listMapKey=type\n\t + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, + False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + release: + description: release is the target of the update. + properties: + channels: + description: |- + channels is the set of Cincinnati channels to which the release + currently belongs. + items: + type: string + type: array + x-kubernetes-list-type: set + image: + description: |- + image is a container image location that contains the update. When this + field is part of spec, image is optional if version is specified and the + availableUpdates field contains a matching version. + type: string + url: + description: |- + url contains information about this release. This URL is set by + the 'url' metadata property on a release or the metadata returned by + the update API and should be displayed as a link in user + interfaces. The URL field may not be set for test or nightly + releases. + type: string + version: + description: |- + version is a semantic version identifying the update version. When this + field is part of spec, version is optional if image is specified. + type: string + type: object + risks: + description: |- + risks represents the range of issues associated with + updating to the target release. The cluster-version + operator will evaluate all entries, and only recommend the + update if there is at least one entry and all entries + recommend the update. + items: + description: |- + ConditionalUpdateRisk represents a reason and cluster-state + for not recommending a conditional update. + properties: + matchingRules: + description: |- + matchingRules is a slice of conditions for deciding which + clusters match the risk and which do not. The slice is + ordered by decreasing precedence. The cluster-version + operator will walk the slice in order, and stop after the + first it can successfully evaluate. If no condition can be + successfully evaluated, the update will not be recommended. + items: + description: |- + ClusterCondition is a union of typed cluster conditions. The 'type' + property determines which of the type-specific properties are relevant. + When evaluated on a cluster, the condition may match, not match, or + fail to evaluate. + properties: + promql: + description: promQL represents a cluster condition + based on PromQL. + properties: + promql: + description: |- + PromQL is a PromQL query classifying clusters. This query + query should return a 1 in the match case and a 0 in the + does-not-match case. Queries which return no time + series, or which return values besides 0 or 1, are + evaluation failures. + type: string + required: + - promql + type: object + type: + description: |- + type represents the cluster-condition type. This defines + the members and semantics of any additional properties. + enum: + - Always + - PromQL + type: string + required: + - type + type: object + minItems: 1 + type: array + x-kubernetes-list-type: atomic + message: + description: |- + message provides additional information about the risk of + updating, in the event that matchingRules match the cluster + state. This is only to be consumed by humans. It may + contain Line Feed characters (U+000A), which should be + rendered as new lines. + minLength: 1 + type: string + name: + description: |- + name is the CamelCase reason for not recommending a + conditional update, in the event that matchingRules match the + cluster state. + minLength: 1 + type: string + url: + description: url contains information about this risk. + format: uri + minLength: 1 + type: string + required: + - matchingRules + - message + - name + - url + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - release + - risks + type: object + type: array + x-kubernetes-list-type: atomic + desired: + description: |- + desired is the version that the cluster is reconciling towards. + If the cluster is not yet fully initialized desired will be set + with the information available, which may be an image or a tag. + properties: + channels: + description: |- + channels is the set of Cincinnati channels to which the release + currently belongs. + items: + type: string + type: array + x-kubernetes-list-type: set + image: + description: |- + image is a container image location that contains the update. When this + field is part of spec, image is optional if version is specified and the + availableUpdates field contains a matching version. + type: string + url: + description: |- + url contains information about this release. This URL is set by + the 'url' metadata property on a release or the metadata returned by + the update API and should be displayed as a link in user + interfaces. The URL field may not be set for test or nightly + releases. + type: string + version: + description: |- + version is a semantic version identifying the update version. When this + field is part of spec, version is optional if image is specified. + type: string + type: object + history: + description: |- + history contains a list of the most recent versions applied to the cluster. + This value may be empty during cluster startup, and then will be updated + when a new update is being applied. The newest update is first in the + list and it is ordered by recency. Updates in the history have state + Completed if the rollout completed - if an update was failing or halfway + applied the state will be Partial. Only a limited amount of update history + is preserved. + items: + description: UpdateHistory is a single attempted update to the + cluster. + properties: + acceptedRisks: + description: |- + acceptedRisks records risks which were accepted to initiate the update. + For example, it may menition an Upgradeable=False or missing signature + that was overriden via desiredUpdate.force, or an update that was + initiated despite not being in the availableUpdates set of recommended + update targets. + type: string + completionTime: + description: |- + completionTime, if set, is when the update was fully applied. The update + that is currently being applied will have a null completion time. + Completion time will always be set for entries that are not the current + update (usually to the started time of the next update). + format: date-time + nullable: true + type: string + image: + description: |- + image is a container image location that contains the update. This value + is always populated. + type: string + startedTime: + description: startedTime is the time at which the update + was started. + format: date-time + type: string + state: + description: |- + state reflects whether the update was fully applied. The Partial state + indicates the update is not fully applied, while the Completed state + indicates the update was successfully rolled out at least once (all + parts of the update successfully applied). + type: string + verified: + description: |- + verified indicates whether the provided update was properly verified + before it was installed. If this is false the cluster may not be trusted. + Verified does not cover upgradeable checks that depend on the cluster + state at the time when the update target was accepted. + type: boolean + version: + description: |- + version is a semantic version identifying the update version. If the + requested image does not define a version, or if a failure occurs + retrieving the image, this value may be empty. + type: string + required: + - completionTime + - image + - startedTime + - state + - verified + type: object + type: array + observedGeneration: + description: |- + observedGeneration reports which version of the spec is being synced. + If this value is not equal to metadata.generation, then the desired + and conditions fields may represent a previous version. + format: int64 + type: integer + required: + - availableUpdates + - desired + - observedGeneration + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/test/configuration/hypershift-configmap.yaml b/test/configuration/hypershift-configmap.yaml new file mode 100644 index 0000000..c8ad983 --- /dev/null +++ b/test/configuration/hypershift-configmap.yaml @@ -0,0 +1,8 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: hypershift-operator-install-flags + namespace: local-cluster +data: + installFlagsToAdd: "--enable-conversion-webhook=false --managed-service ARO-HCP" + installFlagsToRemove: "--enable-uwm-telemetry-remote-write --platform-monitoring --enable-defaulting-webhook --enable-validating-webhook" diff --git a/test/configuration/klusterletconfig.yaml b/test/configuration/klusterletconfig.yaml deleted file mode 100644 index 7751a81..0000000 --- a/test/configuration/klusterletconfig.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: config.open-cluster-management.io/v1alpha1 -kind: KlusterletConfig -metadata: - name: global -spec: - hubKubeAPIServerURL: "https://hub-control-plane:6443" diff --git a/test/configuration/mce-values.yaml b/test/configuration/mce-values.yaml index 09ab3dd..4dcd777 100644 --- a/test/configuration/mce-values.yaml +++ b/test/configuration/mce-values.yaml @@ -4,28 +4,18 @@ availabilityConfig: Basic images: overrides: - backplane_operator: "quay.io/stolostron/backplane-operator:2.13.0-SNAPSHOT-2024-11-20-23-56-00" - registration_operator: "quay.io/stolostron/registration-operator:2.13.0-SNAPSHOT-2024-11-20-23-56-00" - hypershift_addon_operator: "quay.io/stolostron/hypershift-addon-operator:2.13.0-SNAPSHOT-2024-11-20-23-56-00" - managedcluster_import_controller: "quay.io/stolostron/managedcluster-import-controller:2.13.0-SNAPSHOT-2024-11-20-23-56-00" - multicloud_manager: "quay.io/stolostron/multicloud-manager:2.13.0-SNAPSHOT-2024-11-20-23-56-00" - addon_manager: "quay.io/stolostron/addon-manager:2.13.0-SNAPSHOT-2024-11-20-23-56-00" - work: "quay.io/stolostron/work:2.13.0-SNAPSHOT-2024-11-20-23-56-00" - registration: "quay.io/stolostron/registration:2.13.0-SNAPSHOT-2024-11-20-23-56-00" - placement: "quay.io/stolostron/placement:2.13.0-SNAPSHOT-2024-11-20-23-56-00" - kube_rbac_proxy_mce: "quay.io/stolostron/kube-rbac-proxy-mce:2.13.0-SNAPSHOT-2024-11-20-23-56-00" + backplane_operator: "quay.io/stolostron/backplane-operator:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + registration_operator: "quay.io/stolostron/registration-operator:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + hypershift_addon_operator: "quay.io/stolostron/hypershift-addon-operator:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + hypershift_operator: "quay.io/acm-d/hypershift-rhel9-operator:v2.8.0-4" + managedcluster_import_controller: "quay.io/stolostron/managedcluster-import-controller:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + multicloud_manager: "quay.io/stolostron/multicloud-manager:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + addon_manager: "quay.io/stolostron/addon-manager:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + work: "quay.io/stolostron/work:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + registration: "quay.io/stolostron/registration:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + placement: "quay.io/stolostron/placement:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + kube_rbac_proxy_mce: "quay.io/stolostron/kube-rbac-proxy-mce:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + clusterlifecycle_state_metrics: "quay.io/stolostron/clusterlifecycle-state-metrics:2.13.0-SNAPSHOT-2024-11-26-00-59-13" - - #images in MCE 2.6.2 - # backplane_operator: "registry.redhat.io/multicluster-engine/backplane-rhel9-operator@sha256:eb15286f728e32851b426f86b3a1ce5ed186cdb1a67287e98ff5925dc558a2a9" - # registration_operator: "registry.redhat.io/multicluster-engine/registration-operator-rhel9@sha256:efe0091dd6d389190c0acf47cb8980ed8ba7d90bdf04b3b2e9dc07926c0d0bca" - # hypershift_addon_operator: "registry.redhat.io/multicluster-engine/hypershift-addon-rhel9-operator@sha256:7b375b10a5f6434aad3801e486e51a9404d88899a84593686856f3340a5889fa" - # managedcluster_import_controller: "registry.redhat.io/multicluster-engine/managedcluster-import-controller-rhel9@sha256:89dea3fa0cc7cb182d49436bb93214af73bac1383caa59766c97b6fdad2b14b5" - # multicloud_manager: "registry.redhat.io/multicluster-engine/multicloud-manager-rhel9@sha256:089188b25407a49ba042bd65a8afc6a6c86d68b8d7ac3da722196f0cd85383ae" - # addon_manager: "registry.redhat.io/multicluster-engine/addon-manager-rhel9@sha256:93b21a4356230da6f70edac4d8770b5e0af2f40a37ec454b00b12b5aa76fb4c3" - # work: "registry.redhat.io/multicluster-engine/work-rhel9@sha256:bf6c7384283046093605659e866ed6a4e2c7c81690f5180894099d4691b97aa3" - # registration: "registry.redhat.io/multicluster-engine/registration-rhel9@sha256:e05fe0fb10bd9abd3f653fc01ea25dab0e78b3dbe932b2da3375585dffc7f4b6" - # placement: "registry.redhat.io/multicluster-engine/placement-rhel9@sha256:307b984b4315b9e22c520be893c2522d4bf3090cd90b10ba1aefb740bc7b7cc2" - # kube_rbac_proxy_mce: "registry.redhat.io/multicluster-engine/kube-rbac-proxy-mce-rhel9@sha256:b5f6f36487e70b543afacd33255b0c4f504bbd62bd5b7f46648c098db4466393" imageCredentials: dockerConfigJson: "" diff --git a/test/configuration/multiclusterengine.yaml b/test/configuration/multiclusterengine.yaml index 8882bfe..3535938 100644 --- a/test/configuration/multiclusterengine.yaml +++ b/test/configuration/multiclusterengine.yaml @@ -17,7 +17,7 @@ spec: name: hypershift-local-hosting - enabled: true name: hypershift - - enabled: false + - enabled: true name: cluster-lifecycle - enabled: false name: discovery diff --git a/test/configuration/policy-values.yaml b/test/configuration/policy-values.yaml index e75a639..ce90c92 100644 --- a/test/configuration/policy-values.yaml +++ b/test/configuration/policy-values.yaml @@ -4,18 +4,12 @@ global: # registryOverride: "registry.redhat.io" imageOverrides: # upstream images - governance_policy_propagator: "governance-policy-propagator:2.13.0-SNAPSHOT-2024-11-20-23-56-00" - governance_policy_addon_controller: "governance-policy-addon-controller:2.13.0-SNAPSHOT-2024-11-20-23-56-00" - config_policy_controller: "config-policy-controller:2.13.0-SNAPSHOT-2024-11-20-23-56-00" - governance_policy_framework_addon: "governance-policy-framework-addon:2.13.0-SNAPSHOT-2024-11-20-23-56-00" - klusterlet_addon_controller: "klusterlet-addon-controller:2.13.0-SNAPSHOT-2024-11-20-23-56-00" + governance_policy_propagator: "governance-policy-propagator:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + governance_policy_addon_controller: "governance-policy-addon-controller:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + config_policy_controller: "config-policy-controller:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + governance_policy_framework_addon: "governance-policy-framework-addon:2.13.0-SNAPSHOT-2024-11-26-00-59-13" + klusterlet_addon_controller: "klusterlet-addon-controller:2.13.0-SNAPSHOT-2024-11-26-00-59-13" - # images in ACM 2.11.2 - # governance_policy_propagator: "rhacm2/governance-policy-propagator-rhel9@sha256:af848e7e31d8ec9b5ad1896a5d5ccc67f320a7740245c190ba8a76757984e65b" - # governance_policy_addon_controller: "rhacm2/acm-governance-policy-addon-controller-rhel9@sha256:fc0708f0a6d5266fb544f41b61d9697d370c8c5e297e4e3f13de8656f9c2b049" - # config_policy_controller: "rhacm2/config-policy-controller-rhel9@sha256:cecf914d7fb7759a4f512c1ec53a077dcb1c7e405c22a5bf6af1bf5878cf3c42" - # governance_policy_framework_addon: "rhacm2/acm-governance-policy-framework-addon-rhel9@sha256:a4880f6e82d2b82606203ea855d0418bb29b3d4535f8bc7a9ef4074258c18674" - # klusterlet_addon_controller: "rhacm2/klusterlet-addon-controller-rhel9@sha256:478e3e6cda0d74f43b0f05911d023344108a5cd79d57d5cc9f268ad064848a00" namespace: multicluster-engine pullSecret: open-cluster-management-image-pull-credentials diff --git a/test/e2e/local_cluster_test.go b/test/e2e/local_cluster_test.go index 62f21f7..03d5173 100644 --- a/test/e2e/local_cluster_test.go +++ b/test/e2e/local_cluster_test.go @@ -18,28 +18,40 @@ var _ = ginkgo.Describe("check if local-cluster is healthy", func() { }) ginkgo.It("check status of the local-cluster", func() { - cluster, err := HubClients.ClusterClient.ClusterV1().ManagedClusters().Get(context.Background(), - LocalClusterName, metav1.GetOptions{}) - gomega.Expect(err).ToNot(gomega.HaveOccurred()) - gomega.Expect(CheckManagedClusterStatus(cluster)).ToNot(gomega.HaveOccurred()) + gomega.Eventually(func() error { + cluster, err := HubClients.ClusterClient.ClusterV1().ManagedClusters().Get(context.Background(), + LocalClusterName, metav1.GetOptions{}) + if err != nil { + return fmt.Errorf("failed get local-cluster: %v", err) + } + return CheckManagedClusterStatus(cluster) + }).Should(gomega.Succeed()) }) ginkgo.It("check status of the addons in local-cluster", func() { - addons, err := HubClients.AddonClient.AddonV1alpha1().ManagedClusterAddOns(LocalClusterName). - List(context.Background(), metav1.ListOptions{}) - gomega.Expect(err).ToNot(gomega.HaveOccurred()) - gomega.Expect(len(addons.Items)).Should(gomega.Equal(4)) - - for _, addon := range addons.Items { - switch addon.Name { - case WorkManagerAddonName, GovernancePolicyFrameworkAddonName, ConfigPolicyAddonName: - gomega.Expect(CheckAddonStatus(addon)).ToNot(gomega.HaveOccurred()) - case HypershiftAddonName: - // TODO: is not ready since there is no hyperShiftOperator ? - default: - err := fmt.Errorf("unexpected addon: %s", addon.Name) - gomega.Expect(err).ToNot(gomega.HaveOccurred()) + gomega.Eventually(func() error { + addons, err := HubClients.AddonClient.AddonV1alpha1().ManagedClusterAddOns(LocalClusterName). + List(context.Background(), metav1.ListOptions{}) + if err != nil { + return fmt.Errorf("failed list addons: %v", err) + } + + if len(addons.Items) != 4 { + return fmt.Errorf("expect 4 addons but got %v", len(addons.Items)) + } + + for _, addon := range addons.Items { + switch addon.Name { + case WorkManagerAddonName, HypershiftAddonName, GovernancePolicyFrameworkAddonName, ConfigPolicyAddonName: + if err := CheckAddonStatus(addon); err != nil { + return fmt.Errorf("addon %v status is not avaiable: %v", addon.Name, err) + } + + default: + return fmt.Errorf("unexpected addon: %s", addon.Name) + } } - } + return nil + }).Should(gomega.Succeed()) }) })