From 2d8fc3da1e40210d9401b5dc0a98d02a163a5b6b Mon Sep 17 00:00:00 2001 From: Luis Sanchez Date: Thu, 9 Apr 2026 21:32:37 -0400 Subject: [PATCH 1/2] vendor: bump library-go, api, client-go --- go.mod | 4 +- go.sum | 8 +- .../github.com/openshift/api/.golangci.yaml | 6 + .../openshift/api/config/v1/types.go | 5 + .../openshift/api/config/v1/types_dns.go | 9 +- .../api/config/v1/types_infrastructure.go | 1 - ...operator_01_dnses-CustomNoUpgrade.crd.yaml | 198 + ..._config-operator_01_dnses-Default.crd.yaml | 198 + ...ator_01_dnses-DevPreviewNoUpgrade.crd.yaml | 198 + ..._10_config-operator_01_dnses-OKD.crd.yaml} | 11 +- ...tor_01_dnses-TechPreviewNoUpgrade.crd.yaml | 198 + ...erator_01_infrastructures-Default.crd.yaml | 115 + ...g-operator_01_infrastructures-OKD.crd.yaml | 115 + .../api/config/v1/zz_generated.deepcopy.go | 1 + ..._generated.featuregated-crd-manifests.yaml | 4 +- .../v1/zz_generated.swagger_doc_generated.go | 4 +- .../v1alpha1/types_cluster_monitoring.go | 203 +- ...ig-operator_01_clustermonitorings.crd.yaml | 740 +++- .../config/v1alpha1/zz_generated.deepcopy.go | 90 + .../zz_generated.swagger_doc_generated.go | 40 +- .../openshift/api/envtest-releases.yaml | 26 + .../github.com/openshift/api/etcd/install.go | 3 +- .../github.com/openshift/api/etcd/v1/Makefile | 3 + .../github.com/openshift/api/etcd/v1/doc.go | 6 + .../openshift/api/etcd/v1/register.go | 39 + .../api/etcd/v1/types_pacemakercluster.go | 737 ++++ .../api/etcd/v1/zz_generated.deepcopy.go | 210 ++ ..._generated.featuregated-crd-manifests.yaml | 23 + .../v1/zz_generated.swagger_doc_generated.go | 89 + .../etcd/v1alpha1/types_pacemakercluster.go | 5 +- .../zz_generated.swagger_doc_generated.go | 2 +- vendor/github.com/openshift/api/features.md | 14 +- .../openshift/api/features/features.go | 54 +- .../api/machineconfiguration/v1/types.go | 33 +- ...controllerconfigs-CustomNoUpgrade.crd.yaml | 10 +- ...nfig_01_controllerconfigs-Default.crd.yaml | 127 +- ...rollerconfigs-DevPreviewNoUpgrade.crd.yaml | 10 +- ...e-config_01_controllerconfigs-OKD.crd.yaml | 127 +- ...ollerconfigs-TechPreviewNoUpgrade.crd.yaml | 10 +- ..._machine-config_01_kubeletconfigs.crd.yaml | 33 +- ..._generated.featuregated-crd-manifests.yaml | 2 +- .../v1/zz_generated.swagger_doc_generated.go | 10 +- .../operator/v1/types_csi_cluster_driver.go | 10 +- .../api/operator/v1/types_ingress.go | 43 + ...iserver_01_kubeapiservers-Default.crd.yaml | 335 -- ...ubeapiservers-DevPreviewNoUpgrade.crd.yaml | 349 -- ...e-apiserver_01_kubeapiservers-OKD.crd.yaml | 335 -- ...beapiservers-TechPreviewNoUpgrade.crd.yaml | 349 -- ...kube-apiserver_01_kubeapiservers.crd.yaml} | 1 - ...clustercsidrivers-CustomNoUpgrade.crd.yaml | 11 +- ...iver_01_clustercsidrivers-Default.crd.yaml | 11 +- ...tercsidrivers-DevPreviewNoUpgrade.crd.yaml | 11 +- ...i-driver_01_clustercsidrivers-OKD.crd.yaml | 11 +- ...ercsidrivers-TechPreviewNoUpgrade.crd.yaml | 11 +- ...ngresscontrollers-CustomNoUpgrade.crd.yaml | 3317 +++++++++++++++++ ...ess_00_ingresscontrollers-Default.crd.yaml | 3286 ++++++++++++++++ ...sscontrollers-DevPreviewNoUpgrade.crd.yaml | 3317 +++++++++++++++++ ...ngress_00_ingresscontrollers-OKD.crd.yaml} | 1 + ...scontrollers-TechPreviewNoUpgrade.crd.yaml | 3317 +++++++++++++++++ ..._generated.featuregated-crd-manifests.yaml | 4 +- .../v1/zz_generated.swagger_doc_generated.go | 3 +- .../openshift/api/quota/v1/generated.proto | 2 +- .../openshift/api/quota/v1/types.go | 2 +- ..._generated.featuregated-crd-manifests.yaml | 4 +- .../library-go/pkg/crypto/cert_config.go | 225 ++ .../openshift/library-go/pkg/crypto/keygen.go | 118 + .../library-go/pkg/crypto/options.go | 49 + .../library-go/pkg/crypto/tls_adherence.go | 23 + .../client_cert_rotation_controller.go | 6 +- .../pkg/operator/certrotation/signer.go | 80 +- .../pkg/operator/certrotation/target.go | 164 +- .../pkg/operator/v1helpers/helpers.go | 11 + .../openshift/library-go/pkg/pki/profile.go | 114 + .../openshift/library-go/pkg/pki/provider.go | 75 + .../openshift/library-go/pkg/pki/resolve.go | 77 + .../openshift/library-go/pkg/pki/types.go | 23 + .../k8s.io/code-generator/generate-groups.sh | 0 .../generate-internal-groups.sh | 0 vendor/modules.txt | 6 +- 79 files changed, 17888 insertions(+), 1534 deletions(-) create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-CustomNoUpgrade.crd.yaml create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-Default.crd.yaml create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-DevPreviewNoUpgrade.crd.yaml rename vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/{0000_10_config-operator_01_dnses.crd.yaml => 0000_10_config-operator_01_dnses-OKD.crd.yaml} (91%) create mode 100644 vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-TechPreviewNoUpgrade.crd.yaml create mode 100644 vendor/github.com/openshift/api/etcd/v1/Makefile create mode 100644 vendor/github.com/openshift/api/etcd/v1/doc.go create mode 100644 vendor/github.com/openshift/api/etcd/v1/register.go create mode 100644 vendor/github.com/openshift/api/etcd/v1/types_pacemakercluster.go create mode 100644 vendor/github.com/openshift/api/etcd/v1/zz_generated.deepcopy.go create mode 100644 vendor/github.com/openshift/api/etcd/v1/zz_generated.featuregated-crd-manifests.yaml create mode 100644 vendor/github.com/openshift/api/etcd/v1/zz_generated.swagger_doc_generated.go delete mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml delete mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml delete mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml delete mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml rename vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/{0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml => 0000_20_kube-apiserver_01_kubeapiservers.crd.yaml} (99%) create mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml create mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml create mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml rename vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/{0000_50_ingress_00_ingresscontrollers.crd.yaml => 0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml} (99%) create mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml create mode 100644 vendor/github.com/openshift/library-go/pkg/crypto/cert_config.go create mode 100644 vendor/github.com/openshift/library-go/pkg/crypto/keygen.go create mode 100644 vendor/github.com/openshift/library-go/pkg/crypto/options.go create mode 100644 vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go create mode 100644 vendor/github.com/openshift/library-go/pkg/pki/profile.go create mode 100644 vendor/github.com/openshift/library-go/pkg/pki/provider.go create mode 100644 vendor/github.com/openshift/library-go/pkg/pki/resolve.go create mode 100644 vendor/github.com/openshift/library-go/pkg/pki/types.go mode change 100644 => 100755 vendor/k8s.io/code-generator/generate-groups.sh mode change 100644 => 100755 vendor/k8s.io/code-generator/generate-internal-groups.sh diff --git a/go.mod b/go.mod index eddb5feb91..2767706c8b 100644 --- a/go.mod +++ b/go.mod @@ -37,9 +37,9 @@ require ( github.com/onsi/gomega v1.38.2 github.com/opencontainers/go-digest v1.0.0 github.com/openshift-eng/openshift-tests-extension v0.0.0-20260127124016-0fed2b824818 - github.com/openshift/api v0.0.0-20260326111139-30c2ef7a272e + github.com/openshift/api v0.0.0-20260408160412-464776f95207 github.com/openshift/client-go v0.0.0-20260330134249-7e1499aaacd7 - github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6 + github.com/openshift/library-go v0.0.0-20260409165127-c57da2bf5720 github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b github.com/prometheus/client_golang v1.23.2 github.com/rs/zerolog v1.34.0 diff --git a/go.sum b/go.sum index dc62481233..59ec014cc2 100644 --- a/go.sum +++ b/go.sum @@ -623,8 +623,8 @@ github.com/opencontainers/selinux v1.13.0 h1:Zza88GWezyT7RLql12URvoxsbLfjFx988+L github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s= github.com/openshift-eng/openshift-tests-extension v0.0.0-20260127124016-0fed2b824818 h1:jJLE/aCAqDf8U4wc3bE1IEKgIxbb0ICjCNVFA49x/8s= github.com/openshift-eng/openshift-tests-extension v0.0.0-20260127124016-0fed2b824818/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M= -github.com/openshift/api v0.0.0-20260326111139-30c2ef7a272e h1:SbgwHvkc6vgiqHOfGrbumjPvtOvJmCwJoFEwr7rAKzY= -github.com/openshift/api v0.0.0-20260326111139-30c2ef7a272e/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo= +github.com/openshift/api v0.0.0-20260408160412-464776f95207 h1:56S2U6pUgD3uYe8cQMsaBxQmUWIBpFw9YHOPFvfdfN4= +github.com/openshift/api v0.0.0-20260408160412-464776f95207/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo= github.com/openshift/client-go v0.0.0-20260330134249-7e1499aaacd7 h1:5GSoQlywIwYsRCw3qN+ZDmN6HrXTMZfI33bdRNm2jRQ= github.com/openshift/client-go v0.0.0-20260330134249-7e1499aaacd7/go.mod h1:HhXTUIMhgzxR3Ln/zEkr4QjTL0NN7A+t9Py/we9j2ug= github.com/openshift/kubernetes v1.30.1-0.20260305123649-d18f3f005eaa h1:/gPMWR7fdCC3S4wHALD6Em+vztl1q9/cOpdMkFZwDus= @@ -675,8 +675,8 @@ github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission v0.0.0 github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission v0.0.0-20260305123649-d18f3f005eaa/go.mod h1:6wqqkK0+5hV+CLJ3uz9A1lkjxXRvkbq+5RnZdUZx/H8= github.com/openshift/kubernetes/staging/src/k8s.io/sample-apiserver v0.0.0-20260305123649-d18f3f005eaa h1:JY4k94JmDGQp2Pj94Cw2xtIjs7MpPkU9n8zNPDTbiKo= github.com/openshift/kubernetes/staging/src/k8s.io/sample-apiserver v0.0.0-20260305123649-d18f3f005eaa/go.mod h1:CnFDBq5NGnfOSMeOP8l4SNYJrxK6Z1kUaKdu3Qq9Uik= -github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6 h1:xjqy0OolrFdJ+ofI/aD0+2k9+MSk5anP5dXifFt539Q= -github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6/go.mod h1:D797O/ssKTNglbrGchjIguFq+DbyRYdeds5w4/VTrKM= +github.com/openshift/library-go v0.0.0-20260409165127-c57da2bf5720 h1:ljxETzJc/vDgMJlaSB8GRryBHZOAIENA2Wo5arD8avM= +github.com/openshift/library-go v0.0.0-20260409165127-c57da2bf5720/go.mod h1:3bi4pLpYRdVd1aEhsHfRTJkwxwPLfRZ+ZePn3RmJd2k= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b h1:oXzC1N6E9gw76/WH2gEA8GEHvuq09wuVQ9GoCuR8GF4= diff --git a/vendor/github.com/openshift/api/.golangci.yaml b/vendor/github.com/openshift/api/.golangci.yaml index 608fb0ed2e..53c9b4009e 100644 --- a/vendor/github.com/openshift/api/.golangci.yaml +++ b/vendor/github.com/openshift/api/.golangci.yaml @@ -111,6 +111,12 @@ linters: # Silence norefs lint for `Ref` field in ClusterAPI as it refers to an OCI image reference, not a kube object reference. path: operator/v1alpha1/types_clusterapi.go text: "noreferences: naming convention \"no-references\": field ClusterAPIInstallerComponentImage.Ref: field names should not contain reference-related words" + - linters: + - kubeapilinter + # PacemakerCluster intentionally marks Conditions as required with XValidation rules + # to enforce specific condition types are always present. + path: etcd/v1/types_pacemakercluster.go + text: "conditions: Conditions field in (PacemakerClusterStatus|PacemakerClusterNodeStatus|PacemakerClusterFencingAgentStatus|PacemakerClusterResourceStatus) is missing the following markers: optional" - linters: - kubeapilinter path: features|payload-command/*.go diff --git a/vendor/github.com/openshift/api/config/v1/types.go b/vendor/github.com/openshift/api/config/v1/types.go index 3e17ca0ccb..e7106ef7ab 100644 --- a/vendor/github.com/openshift/api/config/v1/types.go +++ b/vendor/github.com/openshift/api/config/v1/types.go @@ -284,7 +284,12 @@ type ClientConnectionOverrides struct { } // GenericControllerConfig provides information to configure a controller +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 type GenericControllerConfig struct { + metav1.TypeMeta `json:",inline"` + // servingInfo is the HTTP serving information for the controller's endpoints ServingInfo HTTPServingInfo `json:"servingInfo"` diff --git a/vendor/github.com/openshift/api/config/v1/types_dns.go b/vendor/github.com/openshift/api/config/v1/types_dns.go index 06eb75ccf7..efbdc3ae54 100644 --- a/vendor/github.com/openshift/api/config/v1/types_dns.go +++ b/vendor/github.com/openshift/api/config/v1/types_dns.go @@ -134,7 +134,14 @@ type AWSDNSSpec struct { // privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing // operations on the cluster's private hosted zone specified in the cluster DNS config. // When left empty, no role should be assumed. - // +kubebuilder:validation:Pattern:=`^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$` + // + // The ARN must follow the format: arn::iam:::role/, where: + // is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc), + // is a 12-digit numeric identifier for the AWS account, + // is the IAM role name. + // + // +openshift:validation:FeatureGateAwareXValidation:featureGate="",rule=`matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$')`,message=`privateZoneIAMRole must be a valid AWS IAM role ARN in the format: arn::iam:::role/` + // +openshift:validation:FeatureGateAwareXValidation:featureGate=AWSEuropeanSovereignCloudInstall,rule=`matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$')`,message=`privateZoneIAMRole must be a valid AWS IAM role ARN in the format: arn::iam:::role/` // +optional PrivateZoneIAMRole string `json:"privateZoneIAMRole"` } diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index 160f8fd4c0..c579be3a11 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -787,7 +787,6 @@ type GCPPlatformStatus struct { // // +default={"dnsType": "PlatformDefault"} // +kubebuilder:default={"dnsType": "PlatformDefault"} - // +openshift:enable:FeatureGate=GCPClusterHostedDNSInstall // +optional // +nullable CloudLoadBalancerConfig *CloudLoadBalancerConfig `json:"cloudLoadBalancerConfig,omitempty"` diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-CustomNoUpgrade.crd.yaml new file mode 100644 index 0000000000..05d56f63cf --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-CustomNoUpgrade.crd.yaml @@ -0,0 +1,198 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: dnses.config.openshift.io +spec: + group: config.openshift.io + names: + kind: DNS + listKind: DNSList + plural: dnses + singular: dns + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + DNS holds cluster-wide information about DNS. The canonical name is `cluster` + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + baseDomain: + description: |- + baseDomain is the base domain of the cluster. All managed DNS records will + be sub-domains of this base. + + For example, given the base domain `openshift.example.com`, an API server + DNS record may be created for `cluster-api.openshift.example.com`. + + Once set, this field cannot be changed. + type: string + platform: + description: |- + platform holds configuration specific to the underlying + infrastructure provider for DNS. + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + properties: + aws: + description: aws contains DNS configuration specific to the Amazon + Web Services cloud provider. + properties: + privateZoneIAMRole: + description: |- + privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing + operations on the cluster's private hosted zone specified in the cluster DNS config. + When left empty, no role should be assumed. + + The ARN must follow the format: arn::iam:::role/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc), + is a 12-digit numeric identifier for the AWS account, + is the IAM role name. + type: string + x-kubernetes-validations: + - message: 'privateZoneIAMRole must be a valid AWS IAM role + ARN in the format: arn::iam:::role/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$') + type: object + type: + description: |- + type is the underlying infrastructure provider for the cluster. + Allowed values: "", "AWS". + + Individual components may not support all platforms, + and must handle unrecognized platforms with best-effort defaults. + enum: + - "" + - AWS + - Azure + - BareMetal + - GCP + - Libvirt + - OpenStack + - None + - VSphere + - oVirt + - IBMCloud + - KubeVirt + - EquinixMetal + - PowerVS + - AlibabaCloud + - Nutanix + - External + type: string + x-kubernetes-validations: + - message: allowed values are '' and 'AWS' + rule: self in ['','AWS'] + required: + - type + type: object + x-kubernetes-validations: + - message: aws configuration is required when platform is AWS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) : + !has(self.aws)' + privateZone: + description: |- + privateZone is the location where all the DNS records that are only available internally + to the cluster exist. + + If this field is nil, no private records should be created. + + Once set, this field cannot be changed. + properties: + id: + description: |- + id is the identifier that can be used to find the DNS hosted zone. + + on AWS zone can be fetched using `ID` as id in [1] + on Azure zone can be fetched using `ID` as a pre-determined name in [2], + on GCP zone can be fetched using `ID` as a pre-determined name in [3]. + + [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options + [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show + [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get + type: string + tags: + additionalProperties: + type: string + description: |- + tags can be used to query the DNS hosted zone. + + on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters, + + [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options + type: object + type: object + publicZone: + description: |- + publicZone is the location where all the DNS records that are publicly accessible to + the internet exist. + + If this field is nil, no public records should be created. + + Once set, this field cannot be changed. + properties: + id: + description: |- + id is the identifier that can be used to find the DNS hosted zone. + + on AWS zone can be fetched using `ID` as id in [1] + on Azure zone can be fetched using `ID` as a pre-determined name in [2], + on GCP zone can be fetched using `ID` as a pre-determined name in [3]. + + [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options + [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show + [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get + type: string + tags: + additionalProperties: + type: string + description: |- + tags can be used to query the DNS hosted zone. + + on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters, + + [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options + type: object + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-Default.crd.yaml new file mode 100644 index 0000000000..93954dcc36 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-Default.crd.yaml @@ -0,0 +1,198 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: Default + name: dnses.config.openshift.io +spec: + group: config.openshift.io + names: + kind: DNS + listKind: DNSList + plural: dnses + singular: dns + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + DNS holds cluster-wide information about DNS. The canonical name is `cluster` + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + baseDomain: + description: |- + baseDomain is the base domain of the cluster. All managed DNS records will + be sub-domains of this base. + + For example, given the base domain `openshift.example.com`, an API server + DNS record may be created for `cluster-api.openshift.example.com`. + + Once set, this field cannot be changed. + type: string + platform: + description: |- + platform holds configuration specific to the underlying + infrastructure provider for DNS. + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + properties: + aws: + description: aws contains DNS configuration specific to the Amazon + Web Services cloud provider. + properties: + privateZoneIAMRole: + description: |- + privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing + operations on the cluster's private hosted zone specified in the cluster DNS config. + When left empty, no role should be assumed. + + The ARN must follow the format: arn::iam:::role/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc), + is a 12-digit numeric identifier for the AWS account, + is the IAM role name. + type: string + x-kubernetes-validations: + - message: 'privateZoneIAMRole must be a valid AWS IAM role + ARN in the format: arn::iam:::role/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$') + type: object + type: + description: |- + type is the underlying infrastructure provider for the cluster. + Allowed values: "", "AWS". + + Individual components may not support all platforms, + and must handle unrecognized platforms with best-effort defaults. + enum: + - "" + - AWS + - Azure + - BareMetal + - GCP + - Libvirt + - OpenStack + - None + - VSphere + - oVirt + - IBMCloud + - KubeVirt + - EquinixMetal + - PowerVS + - AlibabaCloud + - Nutanix + - External + type: string + x-kubernetes-validations: + - message: allowed values are '' and 'AWS' + rule: self in ['','AWS'] + required: + - type + type: object + x-kubernetes-validations: + - message: aws configuration is required when platform is AWS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) : + !has(self.aws)' + privateZone: + description: |- + privateZone is the location where all the DNS records that are only available internally + to the cluster exist. + + If this field is nil, no private records should be created. + + Once set, this field cannot be changed. + properties: + id: + description: |- + id is the identifier that can be used to find the DNS hosted zone. + + on AWS zone can be fetched using `ID` as id in [1] + on Azure zone can be fetched using `ID` as a pre-determined name in [2], + on GCP zone can be fetched using `ID` as a pre-determined name in [3]. + + [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options + [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show + [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get + type: string + tags: + additionalProperties: + type: string + description: |- + tags can be used to query the DNS hosted zone. + + on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters, + + [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options + type: object + type: object + publicZone: + description: |- + publicZone is the location where all the DNS records that are publicly accessible to + the internet exist. + + If this field is nil, no public records should be created. + + Once set, this field cannot be changed. + properties: + id: + description: |- + id is the identifier that can be used to find the DNS hosted zone. + + on AWS zone can be fetched using `ID` as id in [1] + on Azure zone can be fetched using `ID` as a pre-determined name in [2], + on GCP zone can be fetched using `ID` as a pre-determined name in [3]. + + [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options + [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show + [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get + type: string + tags: + additionalProperties: + type: string + description: |- + tags can be used to query the DNS hosted zone. + + on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters, + + [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options + type: object + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..f2d9157713 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,198 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: dnses.config.openshift.io +spec: + group: config.openshift.io + names: + kind: DNS + listKind: DNSList + plural: dnses + singular: dns + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + DNS holds cluster-wide information about DNS. The canonical name is `cluster` + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + baseDomain: + description: |- + baseDomain is the base domain of the cluster. All managed DNS records will + be sub-domains of this base. + + For example, given the base domain `openshift.example.com`, an API server + DNS record may be created for `cluster-api.openshift.example.com`. + + Once set, this field cannot be changed. + type: string + platform: + description: |- + platform holds configuration specific to the underlying + infrastructure provider for DNS. + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + properties: + aws: + description: aws contains DNS configuration specific to the Amazon + Web Services cloud provider. + properties: + privateZoneIAMRole: + description: |- + privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing + operations on the cluster's private hosted zone specified in the cluster DNS config. + When left empty, no role should be assumed. + + The ARN must follow the format: arn::iam:::role/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc), + is a 12-digit numeric identifier for the AWS account, + is the IAM role name. + type: string + x-kubernetes-validations: + - message: 'privateZoneIAMRole must be a valid AWS IAM role + ARN in the format: arn::iam:::role/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$') + type: object + type: + description: |- + type is the underlying infrastructure provider for the cluster. + Allowed values: "", "AWS". + + Individual components may not support all platforms, + and must handle unrecognized platforms with best-effort defaults. + enum: + - "" + - AWS + - Azure + - BareMetal + - GCP + - Libvirt + - OpenStack + - None + - VSphere + - oVirt + - IBMCloud + - KubeVirt + - EquinixMetal + - PowerVS + - AlibabaCloud + - Nutanix + - External + type: string + x-kubernetes-validations: + - message: allowed values are '' and 'AWS' + rule: self in ['','AWS'] + required: + - type + type: object + x-kubernetes-validations: + - message: aws configuration is required when platform is AWS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) : + !has(self.aws)' + privateZone: + description: |- + privateZone is the location where all the DNS records that are only available internally + to the cluster exist. + + If this field is nil, no private records should be created. + + Once set, this field cannot be changed. + properties: + id: + description: |- + id is the identifier that can be used to find the DNS hosted zone. + + on AWS zone can be fetched using `ID` as id in [1] + on Azure zone can be fetched using `ID` as a pre-determined name in [2], + on GCP zone can be fetched using `ID` as a pre-determined name in [3]. + + [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options + [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show + [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get + type: string + tags: + additionalProperties: + type: string + description: |- + tags can be used to query the DNS hosted zone. + + on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters, + + [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options + type: object + type: object + publicZone: + description: |- + publicZone is the location where all the DNS records that are publicly accessible to + the internet exist. + + If this field is nil, no public records should be created. + + Once set, this field cannot be changed. + properties: + id: + description: |- + id is the identifier that can be used to find the DNS hosted zone. + + on AWS zone can be fetched using `ID` as id in [1] + on Azure zone can be fetched using `ID` as a pre-determined name in [2], + on GCP zone can be fetched using `ID` as a pre-determined name in [3]. + + [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options + [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show + [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get + type: string + tags: + additionalProperties: + type: string + description: |- + tags can be used to query the DNS hosted zone. + + on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters, + + [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options + type: object + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-OKD.crd.yaml similarity index 91% rename from vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses.crd.yaml rename to vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-OKD.crd.yaml index 06fb0be0b2..0631512bca 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-OKD.crd.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: OKD name: dnses.config.openshift.io spec: group: config.openshift.io @@ -71,8 +72,16 @@ spec: privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing operations on the cluster's private hosted zone specified in the cluster DNS config. When left empty, no role should be assumed. - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ + + The ARN must follow the format: arn::iam:::role/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc), + is a 12-digit numeric identifier for the AWS account, + is the IAM role name. type: string + x-kubernetes-validations: + - message: 'privateZoneIAMRole must be a valid AWS IAM role + ARN in the format: arn::iam:::role/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$') type: object type: description: |- diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..ce4e9b77f0 --- /dev/null +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,198 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: dnses.config.openshift.io +spec: + group: config.openshift.io + names: + kind: DNS + listKind: DNSList + plural: dnses + singular: dns + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + DNS holds cluster-wide information about DNS. The canonical name is `cluster` + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + baseDomain: + description: |- + baseDomain is the base domain of the cluster. All managed DNS records will + be sub-domains of this base. + + For example, given the base domain `openshift.example.com`, an API server + DNS record may be created for `cluster-api.openshift.example.com`. + + Once set, this field cannot be changed. + type: string + platform: + description: |- + platform holds configuration specific to the underlying + infrastructure provider for DNS. + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + properties: + aws: + description: aws contains DNS configuration specific to the Amazon + Web Services cloud provider. + properties: + privateZoneIAMRole: + description: |- + privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing + operations on the cluster's private hosted zone specified in the cluster DNS config. + When left empty, no role should be assumed. + + The ARN must follow the format: arn::iam:::role/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc), + is a 12-digit numeric identifier for the AWS account, + is the IAM role name. + type: string + x-kubernetes-validations: + - message: 'privateZoneIAMRole must be a valid AWS IAM role + ARN in the format: arn::iam:::role/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$') + type: object + type: + description: |- + type is the underlying infrastructure provider for the cluster. + Allowed values: "", "AWS". + + Individual components may not support all platforms, + and must handle unrecognized platforms with best-effort defaults. + enum: + - "" + - AWS + - Azure + - BareMetal + - GCP + - Libvirt + - OpenStack + - None + - VSphere + - oVirt + - IBMCloud + - KubeVirt + - EquinixMetal + - PowerVS + - AlibabaCloud + - Nutanix + - External + type: string + x-kubernetes-validations: + - message: allowed values are '' and 'AWS' + rule: self in ['','AWS'] + required: + - type + type: object + x-kubernetes-validations: + - message: aws configuration is required when platform is AWS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) : + !has(self.aws)' + privateZone: + description: |- + privateZone is the location where all the DNS records that are only available internally + to the cluster exist. + + If this field is nil, no private records should be created. + + Once set, this field cannot be changed. + properties: + id: + description: |- + id is the identifier that can be used to find the DNS hosted zone. + + on AWS zone can be fetched using `ID` as id in [1] + on Azure zone can be fetched using `ID` as a pre-determined name in [2], + on GCP zone can be fetched using `ID` as a pre-determined name in [3]. + + [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options + [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show + [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get + type: string + tags: + additionalProperties: + type: string + description: |- + tags can be used to query the DNS hosted zone. + + on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters, + + [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options + type: object + type: object + publicZone: + description: |- + publicZone is the location where all the DNS records that are publicly accessible to + the internet exist. + + If this field is nil, no public records should be created. + + Once set, this field cannot be changed. + properties: + id: + description: |- + id is the identifier that can be used to find the DNS hosted zone. + + on AWS zone can be fetched using `ID` as id in [1] + on Azure zone can be fetched using `ID` as a pre-determined name in [2], + on GCP zone can be fetched using `ID` as a pre-determined name in [3]. + + [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options + [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show + [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get + type: string + tags: + additionalProperties: + type: string + description: |- + tags can be used to query the DNS hosted zone. + + on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters, + + [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options + type: object + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml index 3caa584943..8d94616b35 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml @@ -828,6 +828,17 @@ spec: - topology - zone type: object + x-kubernetes-validations: + - message: when zoneAffinity type is HostGroup, regionAffinity + type must be ComputeCluster + rule: 'has(self.zoneAffinity) && self.zoneAffinity.type + == ''HostGroup'' ? has(self.regionAffinity) && self.regionAffinity.type + == ''ComputeCluster'' : true' + - message: when zoneAffinity type is ComputeCluster, regionAffinity + type must be Datacenter + rule: 'has(self.zoneAffinity) && self.zoneAffinity.type + == ''ComputeCluster'' ? has(self.regionAffinity) && + self.regionAffinity.type == ''Datacenter'' : true' type: array x-kubernetes-list-map-keys: - name @@ -1056,6 +1067,7 @@ spec: - HighlyAvailable - HighlyAvailableArbiter - SingleReplica + - DualReplica - External type: string cpuPartitioning: @@ -1261,6 +1273,109 @@ spec: description: armEndpoint specifies a URL to use for resource management in non-soverign clouds such as Azure Stack. type: string + cloudLoadBalancerConfig: + default: + dnsType: PlatformDefault + description: |- + cloudLoadBalancerConfig holds configuration related to DNS and cloud + load balancers. It allows configuration of in-cluster DNS as an alternative + to the platform default DNS implementation. + When using the ClusterHosted DNS type, Load Balancer IP addresses + must be provided for the API and internal API load balancers as well as the + ingress load balancer. + properties: + clusterHosted: + description: |- + clusterHosted holds the IP addresses of API, API-Int and Ingress Load + Balancers on Cloud Platforms. The DNS solution hosted within the cluster + use these IP addresses to provide resolution for API, API-Int and Ingress + services. + properties: + apiIntLoadBalancerIPs: + description: |- + apiIntLoadBalancerIPs holds Load Balancer IPs for the internal API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the apiIntLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + apiLoadBalancerIPs: + description: |- + apiLoadBalancerIPs holds Load Balancer IPs for the API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Could be empty for private clusters. + Entries in the apiLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + ingressLoadBalancerIPs: + description: |- + ingressLoadBalancerIPs holds IPs for Ingress Load Balancers. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the ingressLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + type: object + dnsType: + default: PlatformDefault + description: |- + dnsType indicates the type of DNS solution in use within the cluster. Its default value of + `PlatformDefault` indicates that the cluster's DNS is the default provided by the cloud platform. + It can be set to `ClusterHosted` to bypass the configuration of the cloud default DNS. In this mode, + the cluster needs to provide a self-hosted DNS solution for the cluster's installation to succeed. + The cluster's use of the cloud's Load Balancers is unaffected by this setting. + The value is immutable after it has been set at install time. + Currently, there is no way for the customer to add additional DNS entries into the cluster hosted DNS. + Enabling this functionality allows the user to start their own DNS solution outside the cluster after + installation is complete. The customer would be responsible for configuring this custom DNS solution, + and it can be run in addition to the in-cluster DNS solution. + enum: + - ClusterHosted + - PlatformDefault + type: string + x-kubernetes-validations: + - message: dnsType is immutable + rule: oldSelf == '' || self == oldSelf + type: object + x-kubernetes-validations: + - message: clusterHosted is permitted only when dnsType is + ClusterHosted + rule: 'has(self.dnsType) && self.dnsType != ''ClusterHosted'' + ? !has(self.clusterHosted) : true' cloudName: description: |- cloudName is the name of the Azure cloud environment which can be used to configure the Azure SDK diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml index 15a2f8e559..b107d7e44c 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml @@ -828,6 +828,17 @@ spec: - topology - zone type: object + x-kubernetes-validations: + - message: when zoneAffinity type is HostGroup, regionAffinity + type must be ComputeCluster + rule: 'has(self.zoneAffinity) && self.zoneAffinity.type + == ''HostGroup'' ? has(self.regionAffinity) && self.regionAffinity.type + == ''ComputeCluster'' : true' + - message: when zoneAffinity type is ComputeCluster, regionAffinity + type must be Datacenter + rule: 'has(self.zoneAffinity) && self.zoneAffinity.type + == ''ComputeCluster'' ? has(self.regionAffinity) && + self.regionAffinity.type == ''Datacenter'' : true' type: array x-kubernetes-list-map-keys: - name @@ -1056,6 +1067,7 @@ spec: - HighlyAvailable - HighlyAvailableArbiter - SingleReplica + - DualReplica - External type: string cpuPartitioning: @@ -1261,6 +1273,109 @@ spec: description: armEndpoint specifies a URL to use for resource management in non-soverign clouds such as Azure Stack. type: string + cloudLoadBalancerConfig: + default: + dnsType: PlatformDefault + description: |- + cloudLoadBalancerConfig holds configuration related to DNS and cloud + load balancers. It allows configuration of in-cluster DNS as an alternative + to the platform default DNS implementation. + When using the ClusterHosted DNS type, Load Balancer IP addresses + must be provided for the API and internal API load balancers as well as the + ingress load balancer. + properties: + clusterHosted: + description: |- + clusterHosted holds the IP addresses of API, API-Int and Ingress Load + Balancers on Cloud Platforms. The DNS solution hosted within the cluster + use these IP addresses to provide resolution for API, API-Int and Ingress + services. + properties: + apiIntLoadBalancerIPs: + description: |- + apiIntLoadBalancerIPs holds Load Balancer IPs for the internal API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the apiIntLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + apiLoadBalancerIPs: + description: |- + apiLoadBalancerIPs holds Load Balancer IPs for the API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Could be empty for private clusters. + Entries in the apiLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + ingressLoadBalancerIPs: + description: |- + ingressLoadBalancerIPs holds IPs for Ingress Load Balancers. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the ingressLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, "10.0.0.0" + or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + type: object + dnsType: + default: PlatformDefault + description: |- + dnsType indicates the type of DNS solution in use within the cluster. Its default value of + `PlatformDefault` indicates that the cluster's DNS is the default provided by the cloud platform. + It can be set to `ClusterHosted` to bypass the configuration of the cloud default DNS. In this mode, + the cluster needs to provide a self-hosted DNS solution for the cluster's installation to succeed. + The cluster's use of the cloud's Load Balancers is unaffected by this setting. + The value is immutable after it has been set at install time. + Currently, there is no way for the customer to add additional DNS entries into the cluster hosted DNS. + Enabling this functionality allows the user to start their own DNS solution outside the cluster after + installation is complete. The customer would be responsible for configuring this custom DNS solution, + and it can be run in addition to the in-cluster DNS solution. + enum: + - ClusterHosted + - PlatformDefault + type: string + x-kubernetes-validations: + - message: dnsType is immutable + rule: oldSelf == '' || self == oldSelf + type: object + x-kubernetes-validations: + - message: clusterHosted is permitted only when dnsType is + ClusterHosted + rule: 'has(self.dnsType) && self.dnsType != ''ClusterHosted'' + ? !has(self.clusterHosted) : true' cloudName: description: |- cloudName is the name of the Azure cloud environment which can be used to configure the Azure SDK diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 30b85b78e9..a604d2f634 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -2560,6 +2560,7 @@ func (in *GenericAPIServerConfig) DeepCopy() *GenericAPIServerConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GenericControllerConfig) DeepCopyInto(out *GenericControllerConfig) { *out = *in + out.TypeMeta = in.TypeMeta in.ServingInfo.DeepCopyInto(&out.ServingInfo) out.LeaderElection = in.LeaderElection out.Authentication = in.Authentication diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index b10ff7bd33..84c1443d44 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -206,7 +206,8 @@ dnses.config.openshift.io: CRDName: dnses.config.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - AWSEuropeanSovereignCloudInstall FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -372,7 +373,6 @@ infrastructures.config.openshift.io: - AzureDualStackInstall - DualReplica - DyanmicServiceEndpointIBMCloud - - GCPClusterHostedDNSInstall - NutanixMultiSubnets - OnPremDNSRecords - VSphereHostVMGroupZonal diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index 2869558afc..4a5346dba8 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -137,7 +137,7 @@ func (GenericAPIServerConfig) SwaggerDoc() map[string]string { } var map_GenericControllerConfig = map[string]string{ - "": "GenericControllerConfig provides information to configure a controller", + "": "GenericControllerConfig provides information to configure a controller\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "servingInfo": "servingInfo is the HTTP serving information for the controller's endpoints", "leaderElection": "leaderElection provides information to elect a leader. Only override this if you have a specific need", "authentication": "authentication allows configuration of authentication for the endpoints", @@ -988,7 +988,7 @@ func (ConsoleStatus) SwaggerDoc() map[string]string { var map_AWSDNSSpec = map[string]string{ "": "AWSDNSSpec contains DNS configuration specific to the Amazon Web Services cloud provider.", - "privateZoneIAMRole": "privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing operations on the cluster's private hosted zone specified in the cluster DNS config. When left empty, no role should be assumed.", + "privateZoneIAMRole": "privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing operations on the cluster's private hosted zone specified in the cluster DNS config. When left empty, no role should be assumed.\n\nThe ARN must follow the format: arn::iam:::role/, where: is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc), is a 12-digit numeric identifier for the AWS account, is the IAM role name.", } func (AWSDNSSpec) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go index 48ca1aed8a..08eaca29f3 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go @@ -126,6 +126,22 @@ type ClusterMonitoringSpec struct { // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. // +optional OpenShiftStateMetricsConfig OpenShiftStateMetricsConfig `json:"openShiftStateMetricsConfig,omitempty,omitzero"` + // telemeterClientConfig is an optional field that can be used to configure the Telemeter Client + // component that runs in the openshift-monitoring namespace. The Telemeter Client collects + // selected monitoring metrics and forwards them to Red Hat for telemetry purposes. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // When set, at least one field must be specified within telemeterClientConfig. + // +optional + TelemeterClientConfig TelemeterClientConfig `json:"telemeterClientConfig,omitempty,omitzero"` + // thanosQuerierConfig is an optional field that can be used to configure the Thanos Querier + // component that runs in the openshift-monitoring namespace. The Thanos Querier provides + // a global query view by aggregating and deduplicating metrics from multiple Prometheus instances. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default deploys the Thanos Querier on linux nodes with 5m CPU and 12Mi memory + // requests, and no custom tolerations or topology spread constraints. + // When set, at least one field must be specified within thanosQuerierConfig. + // +optional + ThanosQuerierConfig ThanosQuerierConfig `json:"thanosQuerierConfig,omitempty,omitzero"` } // OpenShiftStateMetricsConfig provides configuration options for the openshift-state-metrics agent @@ -158,13 +174,13 @@ type OpenShiftStateMetricsConfig struct { // - name: memory // request: 32Mi // limit: null - // Maximum length for this list is 10. + // Maximum length for this list is 5. // Minimum length for this list is 1. // Each resource name must be unique within this list. // +optional // +listType=map // +listMapKey=name - // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MaxItems=5 // +kubebuilder:validation:MinItems=1 Resources []ContainerResource `json:"resources,omitempty"` // tolerations defines tolerations for the pods. @@ -288,13 +304,13 @@ type AlertmanagerCustomConfig struct { // - name: memory // request: 40Mi // limit: null - // Maximum length for this list is 10. + // Maximum length for this list is 5. // Minimum length for this list is 1. // Each resource name must be unique within this list. // +optional // +listType=map // +listMapKey=name - // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MaxItems=5 // +kubebuilder:validation:MinItems=1 Resources []ContainerResource `json:"resources,omitempty"` // secrets defines a list of secrets that need to be mounted into the Alertmanager. @@ -392,6 +408,13 @@ const ( LogLevelDebug LogLevel = "Debug" ) +// MaxItems on []ContainerResource fields is kept at 5 to stay within the +// Kubernetes CRD CEL validation cost budget (StaticEstimatedCRDCostLimit). +// The quantity() CEL function has a high fixed estimated cost per invocation, +// and the limit-vs-request comparison rule is costed per maxItems per location. +// With multiple structs in ClusterMonitoringSpec embedding []ContainerResource, +// maxItems > 5 causes the total estimated rule cost to exceed the budget. + // ContainerResource defines a single resource requirement for a container. // +kubebuilder:validation:XValidation:rule="has(self.request) || has(self.limit)",message="at least one of request or limit must be set" // +kubebuilder:validation:XValidation:rule="!(has(self.request) && has(self.limit)) || quantity(self.limit).compareTo(quantity(self.request)) >= 0",message="limit must be greater than or equal to request" @@ -408,6 +431,7 @@ type ContainerResource struct { // request is the minimum amount of the resource required (e.g. "2Mi", "1Gi"). // This field is optional. // When limit is specified, request cannot be greater than limit. + // The value must be greater than 0 when specified. // +optional // +kubebuilder:validation:XIntOrString // +kubebuilder:validation:MaxLength=20 @@ -491,13 +515,13 @@ type MetricsServerConfig struct { // - name: memory // request: 40Mi // limit: null - // Maximum length for this list is 10. + // Maximum length for this list is 5. // Minimum length for this list is 1. // Each resource name must be unique within this list. // +optional // +listType=map // +listMapKey=name - // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MaxItems=5 // +kubebuilder:validation:MinItems=1 Resources []ContainerResource `json:"resources,omitempty"` // topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed @@ -562,13 +586,13 @@ type PrometheusOperatorConfig struct { // - name: memory // request: 40Mi // limit: null - // Maximum length for this list is 10. + // Maximum length for this list is 5. // Minimum length for this list is 1. // Each resource name must be unique within this list. // +optional // +listType=map // +listMapKey=name - // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MaxItems=5 // +kubebuilder:validation:MinItems=1 Resources []ContainerResource `json:"resources,omitempty"` // tolerations defines tolerations for the pods. @@ -626,13 +650,13 @@ type PrometheusOperatorAdmissionWebhookConfig struct { // - name: memory // request: 30Mi // limit: null - // Maximum length for this list is 10. + // Maximum length for this list is 5. // Minimum length for this list is 1. // Each resource name must be unique within this list. // +optional // +listType=map // +listMapKey=name - // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MaxItems=5 // +kubebuilder:validation:MinItems=1 Resources []ContainerResource `json:"resources,omitempty"` // topologySpreadConstraints defines rules for how admission webhook Pods should be distributed @@ -761,18 +785,24 @@ type PrometheusConfig struct { // resources defines the compute resource requests and limits for the Prometheus container. // This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. // When not specified, defaults are used by the platform. Requests cannot exceed limits. - // Each entry must have a unique resource name. - // Minimum of 1 and maximum of 10 resource entries can be specified. + // This field is optional. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // This is a simplified API that maps to Kubernetes ResourceRequirements. // The current default values are: // resources: // - name: cpu // request: 4m + // limit: null // - name: memory // request: 40Mi + // limit: null + // Maximum length for this list is 5. + // Minimum length for this list is 1. + // Each resource name must be unique within this list. // +optional // +listType=map // +listMapKey=name - // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MaxItems=5 // +kubebuilder:validation:MinItems=1 Resources []ContainerResource `json:"resources,omitempty"` // retention configures how long Prometheus retains metrics data and how much storage it can use. @@ -1734,6 +1764,153 @@ const ( CollectionProfileMinimal CollectionProfile = "Minimal" ) +// TelemeterClientConfig provides configuration options for the Telemeter Client component +// that runs in the `openshift-monitoring` namespace. The Telemeter Client collects selected +// monitoring metrics and forwards them to Red Hat for telemetry purposes. +// At least one field must be specified. +// +kubebuilder:validation:MinProperties=1 +type TelemeterClientConfig struct { + // nodeSelector defines the nodes on which the Pods are scheduled. + // nodeSelector is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // The current default value is `kubernetes.io/os: linux`. + // When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries. + // +optional + // +kubebuilder:validation:MinProperties=1 + // +kubebuilder:validation:MaxProperties=10 + NodeSelector map[string]string `json:"nodeSelector,omitempty"` + // resources defines the compute resource requests and limits for the Telemeter Client container. + // This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. + // When not specified, defaults are used by the platform. Requests cannot exceed limits. + // This field is optional. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // This is a simplified API that maps to Kubernetes ResourceRequirements. + // The current default values are: + // resources: + // - name: cpu + // request: 1m + // limit: null + // - name: memory + // request: 40Mi + // limit: null + // Maximum length for this list is 5. + // Minimum length for this list is 1. + // Each resource name must be unique within this list. + // +optional + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MaxItems=5 + // +kubebuilder:validation:MinItems=1 + Resources []ContainerResource `json:"resources,omitempty"` + // tolerations defines tolerations for the pods. + // tolerations is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // Defaults are empty/unset. + // Maximum length for this list is 10. + // Minimum length for this list is 1. + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=atomic + // +optional + Tolerations []v1.Toleration `json:"tolerations,omitempty"` + // topologySpreadConstraints defines rules for how Telemeter Client Pods should be distributed + // across topology domains such as zones, nodes, or other user-defined labels. + // topologySpreadConstraints is optional. + // This helps improve high availability and resource efficiency by avoiding placing + // too many replicas in the same failure domain. + // + // When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. + // This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + // Default is empty list. + // Maximum length for this list is 10. + // Minimum length for this list is 1. + // Entries must have unique topologyKey and whenUnsatisfiable pairs. + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=topologyKey + // +listMapKey=whenUnsatisfiable + // +optional + TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` +} + +// ThanosQuerierConfig provides configuration options for the Thanos Querier component +// that runs in the `openshift-monitoring` namespace. +// At least one field must be specified; an empty thanosQuerierConfig object is not allowed. +// +kubebuilder:validation:MinProperties=1 +type ThanosQuerierConfig struct { + // nodeSelector defines the nodes on which the Pods are scheduled. + // nodeSelector is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // The current default value is `kubernetes.io/os: linux`. + // When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries. + // +optional + // +kubebuilder:validation:MinProperties=1 + // +kubebuilder:validation:MaxProperties=10 + NodeSelector map[string]string `json:"nodeSelector,omitempty"` + // resources defines the compute resource requests and limits for the Thanos Querier container. + // resources is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // Requests cannot exceed limits. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // This is a simplified API that maps to Kubernetes ResourceRequirements. + // The current default values are: + // resources: + // - name: cpu + // request: 5m + // - name: memory + // request: 12Mi + // Maximum length for this list is 5. + // Minimum length for this list is 1. + // Each resource name must be unique within this list. + // +optional + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MaxItems=5 + // +kubebuilder:validation:MinItems=1 + Resources []ContainerResource `json:"resources,omitempty"` + // tolerations defines tolerations for the pods. + // tolerations is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // Defaults are empty/unset. + // Maximum length for this list is 10. + // Minimum length for this list is 1. + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=atomic + // +optional + Tolerations []v1.Toleration `json:"tolerations,omitempty"` + // topologySpreadConstraints defines rules for how Thanos Querier Pods should be distributed + // across topology domains such as zones, nodes, or other user-defined labels. + // topologySpreadConstraints is optional. + // This helps improve high availability and resource efficiency by avoiding placing + // too many replicas in the same failure domain. + // + // When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. + // This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + // Defaults are empty/unset. + // Maximum length for this list is 10. + // Minimum length for this list is 1. + // Entries must have unique topologyKey and whenUnsatisfiable pairs. + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=topologyKey + // +listMapKey=whenUnsatisfiable + // +optional + TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` +} + // AuditProfile defines the audit log level for the Metrics Server. // +kubebuilder:validation:Enum=None;Metadata;Request;RequestResponse type AuditProfile string diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml index 88eb7d9a87..efe0233ed1 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -110,7 +110,7 @@ spec: - name: memory request: 40Mi limit: null - Maximum length for this list is 10. + Maximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list. items: @@ -154,6 +154,7 @@ spec: request is the minimum amount of the resource required (e.g. "2Mi", "1Gi"). This field is optional. When limit is specified, request cannot be greater than limit. + The value must be greater than 0 when specified. maxLength: 20 minLength: 1 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -170,7 +171,7 @@ spec: - message: limit must be greater than or equal to request rule: '!(has(self.request) && has(self.limit)) || quantity(self.limit).compareTo(quantity(self.request)) >= 0' - maxItems: 10 + maxItems: 5 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -958,7 +959,7 @@ spec: - name: memory request: 40Mi limit: null - Maximum length for this list is 10. + Maximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list. items: @@ -1002,6 +1003,7 @@ spec: request is the minimum amount of the resource required (e.g. "2Mi", "1Gi"). This field is optional. When limit is specified, request cannot be greater than limit. + The value must be greater than 0 when specified. maxLength: 20 minLength: 1 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -1018,7 +1020,7 @@ spec: - message: limit must be greater than or equal to request rule: '!(has(self.request) && has(self.limit)) || quantity(self.limit).compareTo(quantity(self.request)) >= 0' - maxItems: 10 + maxItems: 5 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -1322,7 +1324,7 @@ spec: - name: memory request: 32Mi limit: null - Maximum length for this list is 10. + Maximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list. items: @@ -1366,6 +1368,7 @@ spec: request is the minimum amount of the resource required (e.g. "2Mi", "1Gi"). This field is optional. When limit is specified, request cannot be greater than limit. + The value must be greater than 0 when specified. maxLength: 20 minLength: 1 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -1382,7 +1385,7 @@ spec: - message: limit must be greater than or equal to request rule: '!(has(self.request) && has(self.limit)) || quantity(self.limit).compareTo(quantity(self.request)) >= 0' - maxItems: 10 + maxItems: 5 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -3233,14 +3236,20 @@ spec: resources defines the compute resource requests and limits for the Prometheus container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. - Each entry must have a unique resource name. - Minimum of 1 and maximum of 10 resource entries can be specified. + This field is optional. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are: resources: - name: cpu request: 4m + limit: null - name: memory request: 40Mi + limit: null + Maximum length for this list is 5. + Minimum length for this list is 1. + Each resource name must be unique within this list. items: description: ContainerResource defines a single resource requirement for a container. @@ -3282,6 +3291,7 @@ spec: request is the minimum amount of the resource required (e.g. "2Mi", "1Gi"). This field is optional. When limit is specified, request cannot be greater than limit. + The value must be greater than 0 when specified. maxLength: 20 minLength: 1 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -3298,7 +3308,7 @@ spec: - message: limit must be greater than or equal to request rule: '!(has(self.request) && has(self.limit)) || quantity(self.limit).compareTo(quantity(self.request)) >= 0' - maxItems: 10 + maxItems: 5 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -4012,7 +4022,7 @@ spec: - name: memory request: 30Mi limit: null - Maximum length for this list is 10. + Maximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list. items: @@ -4056,6 +4066,7 @@ spec: request is the minimum amount of the resource required (e.g. "2Mi", "1Gi"). This field is optional. When limit is specified, request cannot be greater than limit. + The value must be greater than 0 when specified. maxLength: 20 minLength: 1 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -4072,7 +4083,7 @@ spec: - message: limit must be greater than or equal to request rule: '!(has(self.request) && has(self.limit)) || quantity(self.limit).compareTo(quantity(self.request)) >= 0' - maxItems: 10 + maxItems: 5 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -4326,7 +4337,7 @@ spec: - name: memory request: 40Mi limit: null - Maximum length for this list is 10. + Maximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list. items: @@ -4370,6 +4381,7 @@ spec: request is the minimum amount of the resource required (e.g. "2Mi", "1Gi"). This field is optional. When limit is specified, request cannot be greater than limit. + The value must be greater than 0 when specified. maxLength: 20 minLength: 1 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -4386,7 +4398,7 @@ spec: - message: limit must be greater than or equal to request rule: '!(has(self.request) && has(self.limit)) || quantity(self.limit).compareTo(quantity(self.request)) >= 0' - maxItems: 10 + maxItems: 5 minItems: 1 type: array x-kubernetes-list-map-keys: @@ -4636,6 +4648,708 @@ spec: - whenUnsatisfiable x-kubernetes-list-type: map type: object + telemeterClientConfig: + description: |- + telemeterClientConfig is an optional field that can be used to configure the Telemeter Client + component that runs in the openshift-monitoring namespace. The Telemeter Client collects + selected monitoring metrics and forwards them to Red Hat for telemetry purposes. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + When set, at least one field must be specified within telemeterClientConfig. + minProperties: 1 + properties: + nodeSelector: + additionalProperties: + type: string + description: |- + nodeSelector defines the nodes on which the Pods are scheduled. + nodeSelector is optional. + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default value is `kubernetes.io/os: linux`. + When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries. + maxProperties: 10 + minProperties: 1 + type: object + resources: + description: |- + resources defines the compute resource requests and limits for the Telemeter Client container. + This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. + When not specified, defaults are used by the platform. Requests cannot exceed limits. + This field is optional. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + This is a simplified API that maps to Kubernetes ResourceRequirements. + The current default values are: + resources: + - name: cpu + request: 1m + limit: null + - name: memory + request: 40Mi + limit: null + Maximum length for this list is 5. + Minimum length for this list is 1. + Each resource name must be unique within this list. + items: + description: ContainerResource defines a single resource requirement + for a container. + properties: + limit: + anyOf: + - type: integer + - type: string + description: |- + limit is the maximum amount of the resource allowed (e.g. "2Mi", "1Gi"). + This field is optional. + When request is specified, limit cannot be less than request. + The value must be greater than 0 when specified. + maxLength: 20 + minLength: 1 + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: limit must be a positive, non-zero quantity + rule: quantity(self).isGreaterThan(quantity('0')) + name: + description: |- + name of the resource (e.g. "cpu", "memory", "hugepages-2Mi"). + This field is required. + name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must consist only of alphanumeric characters, + `-`, `_` and `.` and must start and end with an alphanumeric + character + rule: '!format.qualifiedName().validate(self).hasValue()' + request: + anyOf: + - type: integer + - type: string + description: |- + request is the minimum amount of the resource required (e.g. "2Mi", "1Gi"). + This field is optional. + When limit is specified, request cannot be greater than limit. + The value must be greater than 0 when specified. + maxLength: 20 + minLength: 1 + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: request must be a positive, non-zero quantity + rule: quantity(self).isGreaterThan(quantity('0')) + required: + - name + type: object + x-kubernetes-validations: + - message: at least one of request or limit must be set + rule: has(self.request) || has(self.limit) + - message: limit must be greater than or equal to request + rule: '!(has(self.request) && has(self.limit)) || quantity(self.limit).compareTo(quantity(self.request)) + >= 0' + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + tolerations: + description: |- + tolerations defines tolerations for the pods. + tolerations is optional. + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + Defaults are empty/unset. + Maximum length for this list is 10. + Minimum length for this list is 1. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + topologySpreadConstraints: + description: |- + topologySpreadConstraints defines rules for how Telemeter Client Pods should be distributed + across topology domains such as zones, nodes, or other user-defined labels. + topologySpreadConstraints is optional. + This helps improve high availability and resource efficiency by avoiding placing + too many replicas in the same failure domain. + + When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. + This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + Default is empty list. + Maximum length for this list is 10. + Minimum length for this list is 1. + Entries must have unique topologyKey and whenUnsatisfiable pairs. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + type: object + thanosQuerierConfig: + description: |- + thanosQuerierConfig is an optional field that can be used to configure the Thanos Querier + component that runs in the openshift-monitoring namespace. The Thanos Querier provides + a global query view by aggregating and deduplicating metrics from multiple Prometheus instances. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default deploys the Thanos Querier on linux nodes with 5m CPU and 12Mi memory + requests, and no custom tolerations or topology spread constraints. + When set, at least one field must be specified within thanosQuerierConfig. + minProperties: 1 + properties: + nodeSelector: + additionalProperties: + type: string + description: |- + nodeSelector defines the nodes on which the Pods are scheduled. + nodeSelector is optional. + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + The current default value is `kubernetes.io/os: linux`. + When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries. + maxProperties: 10 + minProperties: 1 + type: object + resources: + description: |- + resources defines the compute resource requests and limits for the Thanos Querier container. + resources is optional. + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + Requests cannot exceed limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + This is a simplified API that maps to Kubernetes ResourceRequirements. + The current default values are: + resources: + - name: cpu + request: 5m + - name: memory + request: 12Mi + Maximum length for this list is 5. + Minimum length for this list is 1. + Each resource name must be unique within this list. + items: + description: ContainerResource defines a single resource requirement + for a container. + properties: + limit: + anyOf: + - type: integer + - type: string + description: |- + limit is the maximum amount of the resource allowed (e.g. "2Mi", "1Gi"). + This field is optional. + When request is specified, limit cannot be less than request. + The value must be greater than 0 when specified. + maxLength: 20 + minLength: 1 + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: limit must be a positive, non-zero quantity + rule: quantity(self).isGreaterThan(quantity('0')) + name: + description: |- + name of the resource (e.g. "cpu", "memory", "hugepages-2Mi"). + This field is required. + name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must consist only of alphanumeric characters, + `-`, `_` and `.` and must start and end with an alphanumeric + character + rule: '!format.qualifiedName().validate(self).hasValue()' + request: + anyOf: + - type: integer + - type: string + description: |- + request is the minimum amount of the resource required (e.g. "2Mi", "1Gi"). + This field is optional. + When limit is specified, request cannot be greater than limit. + The value must be greater than 0 when specified. + maxLength: 20 + minLength: 1 + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: request must be a positive, non-zero quantity + rule: quantity(self).isGreaterThan(quantity('0')) + required: + - name + type: object + x-kubernetes-validations: + - message: at least one of request or limit must be set + rule: has(self.request) || has(self.limit) + - message: limit must be greater than or equal to request + rule: '!(has(self.request) && has(self.limit)) || quantity(self.limit).compareTo(quantity(self.request)) + >= 0' + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + tolerations: + description: |- + tolerations defines tolerations for the pods. + tolerations is optional. + + When omitted, this means the user has no opinion and the platform is left + to choose reasonable defaults. These defaults are subject to change over time. + Defaults are empty/unset. + Maximum length for this list is 10. + Minimum length for this list is 1. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + topologySpreadConstraints: + description: |- + topologySpreadConstraints defines rules for how Thanos Querier Pods should be distributed + across topology domains such as zones, nodes, or other user-defined labels. + topologySpreadConstraints is optional. + This helps improve high availability and resource efficiency by avoiding placing + too many replicas in the same failure domain. + + When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. + This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + Defaults are empty/unset. + Maximum length for this list is 10. + Minimum length for this list is 1. + Entries must have unique topologyKey and whenUnsatisfiable pairs. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + type: object userDefined: description: |- userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go index ad6afabff9..38694ad9eb 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go @@ -447,6 +447,8 @@ func (in *ClusterMonitoringSpec) DeepCopyInto(out *ClusterMonitoringSpec) { in.PrometheusOperatorConfig.DeepCopyInto(&out.PrometheusOperatorConfig) in.PrometheusOperatorAdmissionWebhookConfig.DeepCopyInto(&out.PrometheusOperatorAdmissionWebhookConfig) in.OpenShiftStateMetricsConfig.DeepCopyInto(&out.OpenShiftStateMetricsConfig) + in.TelemeterClientConfig.DeepCopyInto(&out.TelemeterClientConfig) + in.ThanosQuerierConfig.DeepCopyInto(&out.ThanosQuerierConfig) return } @@ -1584,6 +1586,94 @@ func (in *TLSConfig) DeepCopy() *TLSConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TelemeterClientConfig) DeepCopyInto(out *TelemeterClientConfig) { + *out = *in + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]ContainerResource, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Tolerations != nil { + in, out := &in.Tolerations, &out.Tolerations + *out = make([]v1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.TopologySpreadConstraints != nil { + in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints + *out = make([]v1.TopologySpreadConstraint, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TelemeterClientConfig. +func (in *TelemeterClientConfig) DeepCopy() *TelemeterClientConfig { + if in == nil { + return nil + } + out := new(TelemeterClientConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ThanosQuerierConfig) DeepCopyInto(out *ThanosQuerierConfig) { + *out = *in + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]ContainerResource, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Tolerations != nil { + in, out := &in.Tolerations, &out.Tolerations + *out = make([]v1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.TopologySpreadConstraints != nil { + in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints + *out = make([]v1.TopologySpreadConstraint, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThanosQuerierConfig. +func (in *ThanosQuerierConfig) DeepCopy() *ThanosQuerierConfig { + if in == nil { + return nil + } + out := new(ThanosQuerierConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UppercaseActionConfig) DeepCopyInto(out *UppercaseActionConfig) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index b79cbbf774..a95db9b463 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -109,7 +109,7 @@ var map_AlertmanagerCustomConfig = map[string]string{ "": "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.", "logLevel": "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", - "resources": "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.", + "resources": "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", "secrets": "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret- and mounted at /etc/alertmanager/secrets/ within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.", "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", @@ -179,6 +179,8 @@ var map_ClusterMonitoringSpec = map[string]string{ "prometheusOperatorConfig": "prometheusOperatorConfig is an optional field that can be used to configure the Prometheus Operator component. Specifically, it can configure how the Prometheus Operator instance is deployed, pod scheduling, and resource allocation. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", "prometheusOperatorAdmissionWebhookConfig": "prometheusOperatorAdmissionWebhookConfig is an optional field that can be used to configure the admission webhook component of Prometheus Operator that runs in the openshift-monitoring namespace. The admission webhook validates PrometheusRule and AlertmanagerConfig objects to ensure they are semantically valid, mutates PrometheusRule annotations, and converts AlertmanagerConfig objects between API versions. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", "openShiftStateMetricsConfig": "openShiftStateMetricsConfig is an optional field that can be used to configure the openshift-state-metrics agent that runs in the openshift-monitoring namespace. The openshift-state-metrics agent generates metrics about the state of OpenShift-specific Kubernetes objects, such as routes, builds, and deployments. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", + "telemeterClientConfig": "telemeterClientConfig is an optional field that can be used to configure the Telemeter Client component that runs in the openshift-monitoring namespace. The Telemeter Client collects selected monitoring metrics and forwards them to Red Hat for telemetry purposes. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. When set, at least one field must be specified within telemeterClientConfig.", + "thanosQuerierConfig": "thanosQuerierConfig is an optional field that can be used to configure the Thanos Querier component that runs in the openshift-monitoring namespace. The Thanos Querier provides a global query view by aggregating and deduplicating metrics from multiple Prometheus instances. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default deploys the Thanos Querier on linux nodes with 5m CPU and 12Mi memory requests, and no custom tolerations or topology spread constraints. When set, at least one field must be specified within thanosQuerierConfig.", } func (ClusterMonitoringSpec) SwaggerDoc() map[string]string { @@ -196,7 +198,7 @@ func (ClusterMonitoringStatus) SwaggerDoc() map[string]string { var map_ContainerResource = map[string]string{ "": "ContainerResource defines a single resource requirement for a container.", "name": "name of the resource (e.g. \"cpu\", \"memory\", \"hugepages-2Mi\"). This field is required. name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character.", - "request": "request is the minimum amount of the resource required (e.g. \"2Mi\", \"1Gi\"). This field is optional. When limit is specified, request cannot be greater than limit.", + "request": "request is the minimum amount of the resource required (e.g. \"2Mi\", \"1Gi\"). This field is optional. When limit is specified, request cannot be greater than limit. The value must be greater than 0 when specified.", "limit": "limit is the maximum amount of the resource allowed (e.g. \"2Mi\", \"1Gi\"). This field is optional. When request is specified, limit cannot be less than request. The value must be greater than 0 when specified.", } @@ -285,7 +287,7 @@ var map_MetricsServerConfig = map[string]string{ "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", "verbosity": "verbosity defines the verbosity of log messages for Metrics Server. Valid values are Errors, Info, Trace, TraceAll and omitted. When set to Errors, only critical messages and errors are logged. When set to Info, only basic information messages are logged. When set to Trace, information useful for general debugging is logged. When set to TraceAll, detailed information about metric scraping is logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Errors`", - "resources": "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.", + "resources": "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", } @@ -319,7 +321,7 @@ func (OAuth2EndpointParam) SwaggerDoc() map[string]string { var map_OpenShiftStateMetricsConfig = map[string]string{ "": "OpenShiftStateMetricsConfig provides configuration options for the openshift-state-metrics agent that runs in the `openshift-monitoring` namespace. The openshift-state-metrics agent generates metrics about the state of OpenShift-specific Kubernetes objects, such as routes, builds, and deployments.", "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled. nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.", - "resources": "resources defines the compute resource requests and limits for the openshift-state-metrics container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 1m\n limit: null\n - name: memory\n request: 32Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.", + "resources": "resources defines the compute resource requests and limits for the openshift-state-metrics container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 1m\n limit: null\n - name: memory\n request: 32Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", "topologySpreadConstraints": "topologySpreadConstraints defines rules for how openshift-state-metrics Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", } @@ -337,7 +339,7 @@ var map_PrometheusConfig = map[string]string{ "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled. nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least one key-value pair (minimum of 1) and must not contain more than 10 entries.", "queryLogFile": "queryLogFile specifies the file to which PromQL queries are logged. This setting can be either a filename, in which case the queries are saved to an `emptyDir` volume at `/var/log/prometheus`, or a full path to a location where an `emptyDir` volume will be mounted and the queries saved. Writing to `/dev/stderr`, `/dev/stdout` or `/dev/null` is supported, but writing to any other `/dev/` path is not supported. Relative paths are also not supported. By default, PromQL queries are not logged. Must be an absolute path starting with `/` or a simple filename without path separators. Must not contain consecutive slashes, end with a slash, or include '..' path traversal. Must contain only alphanumeric characters, '.', '_', '-', or '/'. Must be between 1 and 255 characters in length.", "remoteWrite": "remoteWrite defines the remote write configuration, including URL, authentication, and relabeling settings. Remote write allows Prometheus to send metrics it collects to external long-term storage systems. When omitted, no remote write endpoints are configured. When provided, at least one configuration must be specified (minimum 1, maximum 10 items). Entries must have unique names (name is the list key).", - "resources": "resources defines the compute resource requests and limits for the Prometheus container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. Each entry must have a unique resource name. Minimum of 1 and maximum of 10 resource entries can be specified. The current default values are:\n resources:\n - name: cpu\n request: 4m\n - name: memory\n request: 40Mi", + "resources": "resources defines the compute resource requests and limits for the Prometheus container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", "retention": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit).", "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Prometheus Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", @@ -351,7 +353,7 @@ func (PrometheusConfig) SwaggerDoc() map[string]string { var map_PrometheusOperatorAdmissionWebhookConfig = map[string]string{ "": "PrometheusOperatorAdmissionWebhookConfig provides configuration options for the admission webhook component of Prometheus Operator that runs in the `openshift-monitoring` namespace. The admission webhook validates PrometheusRule and AlertmanagerConfig objects, mutates PrometheusRule annotations, and converts AlertmanagerConfig objects between API versions.", - "resources": "resources defines the compute resource requests and limits for the prometheus-operator-admission-webhook container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 5m\n limit: null\n - name: memory\n request: 30Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.", + "resources": "resources defines the compute resource requests and limits for the prometheus-operator-admission-webhook container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 5m\n limit: null\n - name: memory\n request: 30Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", "topologySpreadConstraints": "topologySpreadConstraints defines rules for how admission webhook Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", } @@ -363,7 +365,7 @@ var map_PrometheusOperatorConfig = map[string]string{ "": "PrometheusOperatorConfig provides configuration options for the Prometheus Operator instance Use this configuration to control how the Prometheus Operator instance is deployed, how it logs, and how its pods are scheduled.", "logLevel": "logLevel defines the verbosity of logs emitted by Prometheus Operator. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.", - "resources": "resources defines the compute resource requests and limits for the Prometheus Operator container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.", + "resources": "resources defines the compute resource requests and limits for the Prometheus Operator container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Prometheus Operator Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", } @@ -516,6 +518,30 @@ func (TLSConfig) SwaggerDoc() map[string]string { return map_TLSConfig } +var map_TelemeterClientConfig = map[string]string{ + "": "TelemeterClientConfig provides configuration options for the Telemeter Client component that runs in the `openshift-monitoring` namespace. The Telemeter Client collects selected monitoring metrics and forwards them to Red Hat for telemetry purposes. At least one field must be specified.", + "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled. nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.", + "resources": "resources defines the compute resource requests and limits for the Telemeter Client container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 1m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", + "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", + "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Telemeter Client Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", +} + +func (TelemeterClientConfig) SwaggerDoc() map[string]string { + return map_TelemeterClientConfig +} + +var map_ThanosQuerierConfig = map[string]string{ + "": "ThanosQuerierConfig provides configuration options for the Thanos Querier component that runs in the `openshift-monitoring` namespace. At least one field must be specified; an empty thanosQuerierConfig object is not allowed.", + "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled. nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.", + "resources": "resources defines the compute resource requests and limits for the Thanos Querier container. resources is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Requests cannot exceed limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 5m\n - name: memory\n request: 12Mi\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", + "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", + "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Thanos Querier Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", +} + +func (ThanosQuerierConfig) SwaggerDoc() map[string]string { + return map_ThanosQuerierConfig +} + var map_UppercaseActionConfig = map[string]string{ "": "UppercaseActionConfig configures the Uppercase action. Maps the concatenated source_labels to their upper case and writes to target_label. Requires Prometheus >= v2.36.0.", "targetLabel": "targetLabel is the label name where the upper-cased value is written. Must be between 1 and 128 characters in length.", diff --git a/vendor/github.com/openshift/api/envtest-releases.yaml b/vendor/github.com/openshift/api/envtest-releases.yaml index 9ab6d63a6f..ea376ded55 100644 --- a/vendor/github.com/openshift/api/envtest-releases.yaml +++ b/vendor/github.com/openshift/api/envtest-releases.yaml @@ -1,4 +1,30 @@ releases: + v1.28.15: + envtest-v1.28.15-darwin-amd64.tar.gz: + hash: 79e04e7e264e6907da73d27c04d50be7bfa702b059e66f21331c9c8e16daa6ff960e750c1910804b7aa2a5bd79488a5bd082b76a7bab003e613a2cdbb2a8b80d + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.28.15-darwin-amd64.tar.gz + envtest-v1.28.15-darwin-arm64.tar.gz: + hash: 9646d169cf5161793ded60fa2ffde705d8fdde7c7c77833be9a77909f5804b909f28d56b2b0b93bd200d8057db3e37da9fe1683368ae38777ea62609135d0b4d + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.28.15-darwin-arm64.tar.gz + envtest-v1.28.15-linux-amd64.tar.gz: + hash: bc7e3deabbb3c7ee5e572e1392041af9d2fa40a51eb88dcabdaf57ff2a476e81efbd837a87f1f0849a5083dcb7c0b4b2fc16107da4cf3308805eee377fb383c1 + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.28.15-linux-amd64.tar.gz + envtest-v1.28.15-linux-arm64.tar.gz: + hash: 17ec8d5f7de118b66d1621d8b25b4f0a891e4a641d5e845d14c0da4cb2e258b6bf788fe6b5334b27beb12d9e67f7c8f2c2ded6023bf9a7e79ac3b483b8cdfcc2 + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.28.15-linux-arm64.tar.gz + v1.29.7: + envtest-v1.29.7-darwin-amd64.tar.gz: + hash: 4a97f9162ee882632aafda20e562dfb4011879f9ec6c8ffa4922e566933fc35292171cc837b50860e2e91238d820931a1fb8c3280541a180f6e9057178c71889 + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.29.7-darwin-amd64.tar.gz + envtest-v1.29.7-darwin-arm64.tar.gz: + hash: e810e04c14b1bba79c90c755ecb8b13094132a86339e78d1fe39029b9825b90b663d538b29d6ab4d905c22728efdf278881ee3f434f2215bc77157dee90a2bde + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.29.7-darwin-arm64.tar.gz + envtest-v1.29.7-linux-amd64.tar.gz: + hash: 91dcf683c95541691b8b9fdd332b0d3df56f8969b57c14797e990b9861ad71b2954f402913b5579f6afb99dce19817ba49542e2e276c7f70aeeb857a5ec1d57c + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.29.7-linux-amd64.tar.gz + envtest-v1.29.7-linux-arm64.tar.gz: + hash: 912333dee15e9cc068ebc5ef25591e16b9732cc70c23435efa72af352cffa9c25236d3982db910bd3a06172e9d57fc0d50585996f17c66ae1b80f0e2d3ef37b5 + selfLink: https://storage.googleapis.com/openshift-kubebuilder-tools/envtest-v1.29.7-linux-arm64.tar.gz v1.30.3: envtest-v1.30.3-darwin-amd64.tar.gz: hash: 81ab2ad5841522976d9a5fc58642b745cf308230b0f2e634acfb2d5c8f288ef837f7b82144a5e91db607d86885101e06dd473a68bcac0d71be2297edc4aaa92e diff --git a/vendor/github.com/openshift/api/etcd/install.go b/vendor/github.com/openshift/api/etcd/install.go index 7e7474152c..659816d814 100644 --- a/vendor/github.com/openshift/api/etcd/install.go +++ b/vendor/github.com/openshift/api/etcd/install.go @@ -5,6 +5,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" v1alpha1 "github.com/openshift/api/etcd/v1alpha1" + v1 "github.com/openshift/api/etcd/v1" ) const ( @@ -12,7 +13,7 @@ const ( ) var ( - schemeBuilder = runtime.NewSchemeBuilder(v1alpha1.Install) + schemeBuilder = runtime.NewSchemeBuilder(v1.Install, v1alpha1.Install) // Install is a function which adds every version of this group to a scheme Install = schemeBuilder.AddToScheme ) diff --git a/vendor/github.com/openshift/api/etcd/v1/Makefile b/vendor/github.com/openshift/api/etcd/v1/Makefile new file mode 100644 index 0000000000..6fa6435a24 --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1/Makefile @@ -0,0 +1,3 @@ +.PHONY: test +test: + make -C ../../tests test GINKGO_EXTRA_ARGS=--focus="etcd.openshift.io/v1" diff --git a/vendor/github.com/openshift/api/etcd/v1/doc.go b/vendor/github.com/openshift/api/etcd/v1/doc.go new file mode 100644 index 0000000000..fe483fffd4 --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1/doc.go @@ -0,0 +1,6 @@ +// +k8s:deepcopy-gen=package,register +// +k8s:defaulter-gen=TypeMeta +// +k8s:openapi-gen=true +// +openshift:featuregated-schema-gen=true +// +groupName=etcd.openshift.io +package v1 diff --git a/vendor/github.com/openshift/api/etcd/v1/register.go b/vendor/github.com/openshift/api/etcd/v1/register.go new file mode 100644 index 0000000000..1b59263043 --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1/register.go @@ -0,0 +1,39 @@ +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +var ( + GroupName = "etcd.openshift.io" + GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"} + schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + // Install is a function which adds this version to a scheme + Install = schemeBuilder.AddToScheme + + // SchemeGroupVersion generated code relies on this name + // Deprecated + SchemeGroupVersion = GroupVersion + // AddToScheme exists solely to keep the old generators creating valid code + // DEPRECATED + AddToScheme = schemeBuilder.AddToScheme +) + +// Resource generated code relies on this being here, but it logically belongs to the group +// DEPRECATED +func Resource(resource string) schema.GroupResource { + return schema.GroupResource{Group: GroupName, Resource: resource} +} + +func addKnownTypes(scheme *runtime.Scheme) error { + metav1.AddToGroupVersion(scheme, GroupVersion) + + scheme.AddKnownTypes(GroupVersion, + &PacemakerCluster{}, + &PacemakerClusterList{}, + ) + + return nil +} diff --git a/vendor/github.com/openshift/api/etcd/v1/types_pacemakercluster.go b/vendor/github.com/openshift/api/etcd/v1/types_pacemakercluster.go new file mode 100644 index 0000000000..a481f5e1bd --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1/types_pacemakercluster.go @@ -0,0 +1,737 @@ +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// PacemakerCluster is used in Two Node OpenShift with Fencing deployments to monitor the health +// of etcd running under pacemaker. + +// Cluster-level condition types for PacemakerCluster.status.conditions +const ( + // ClusterHealthyConditionType tracks the overall health of the pacemaker cluster. + // This is an aggregate condition that reflects the health of all cluster-level conditions and node health. + // Specifically, it aggregates the following conditions: + // - ClusterInServiceConditionType + // - ClusterNodeCountAsExpectedConditionType + // - NodeHealthyConditionType (for each node) + // When True, the cluster is healthy with reason "ClusterHealthy". + // When False, the cluster is unhealthy with reason "ClusterUnhealthy". + ClusterHealthyConditionType = "Healthy" + + // ClusterInServiceConditionType tracks whether the cluster is in service (not in maintenance mode). + // Maintenance mode is a cluster-wide setting that prevents pacemaker from starting or stopping resources. + // When True, the cluster is in service with reason "InService". This is the normal operating state. + // When False, the cluster is in maintenance mode with reason "InMaintenance". This is an unexpected state. + ClusterInServiceConditionType = "InService" + + // ClusterNodeCountAsExpectedConditionType tracks whether the cluster has the expected number of nodes. + // For Two Node OpenShift with Fencing, we are expecting exactly 2 nodes. + // When True, the expected number of nodes are present with reason "AsExpected". + // When False, the node count is incorrect with reason "InsufficientNodes" or "ExcessiveNodes". + ClusterNodeCountAsExpectedConditionType = "NodeCountAsExpected" +) + +// ClusterHealthy condition reasons +const ( + // ClusterHealthyReasonHealthy means the pacemaker cluster is healthy and operating normally. + ClusterHealthyReasonHealthy = "ClusterHealthy" + + // ClusterHealthyReasonUnhealthy means the pacemaker cluster has issues that need investigation. + ClusterHealthyReasonUnhealthy = "ClusterUnhealthy" +) + +// ClusterInService condition reasons +const ( + // ClusterInServiceReasonInService means the cluster is in service (not in maintenance mode). + // This is the normal operating state. + ClusterInServiceReasonInService = "InService" + + // ClusterInServiceReasonInMaintenance means the cluster is in maintenance mode. + // In maintenance mode, pacemaker will not start or stop any resources. Entering and exiting this state requires + // manual user intervention, and is unexpected during normal cluster operation. + ClusterInServiceReasonInMaintenance = "InMaintenance" +) + +// ClusterNodeCountAsExpected condition reasons +const ( + // ClusterNodeCountAsExpectedReasonAsExpected means the expected number of nodes are present. + // For Two Node OpenShift with Fencing, we are expecting exactly 2 nodes. This is the expected healthy state. + ClusterNodeCountAsExpectedReasonAsExpected = "AsExpected" + + // ClusterNodeCountAsExpectedReasonInsufficientNodes means fewer nodes than expected are present. + // For Two Node OpenShift with Fencing, this means that less than 2 nodes are present. Under normal operation, this will only happen during + // a node replacement operation. It's also possible to enter this state with manual user intervention, but + // will also require user intervention to restore normal functionality. + ClusterNodeCountAsExpectedReasonInsufficientNodes = "InsufficientNodes" + + // ClusterNodeCountAsExpectedReasonExcessiveNodes means more nodes than expected are present. + // For Two Node OpenShift with Fencing, this means more than 2 nodes are present. This should be investigated as it is unexpected and should + // never happen during normal cluster operation. It is possible to enter this state with manual user intervention, + // but will also require user intervention to restore normal functionality. + ClusterNodeCountAsExpectedReasonExcessiveNodes = "ExcessiveNodes" +) + +// Node-level condition types for PacemakerCluster.status.nodes[].conditions +const ( + // NodeHealthyConditionType tracks the overall health of a node in the pacemaker cluster. + // This is an aggregate condition that reflects the health of all node-level conditions and resource health. + // Specifically, it aggregates the following conditions: + // - NodeOnlineConditionType + // - NodeInServiceConditionType + // - NodeActiveConditionType + // - NodeReadyConditionType + // - NodeCleanConditionType + // - NodeMemberConditionType + // - NodeFencingAvailableConditionType + // - NodeFencingHealthyConditionType + // - ResourceHealthyConditionType (for each resource in the node's resources list) + // When True, the node is healthy with reason "NodeHealthy". + // When False, the node is unhealthy with reason "NodeUnhealthy". + NodeHealthyConditionType = "Healthy" + + // NodeOnlineConditionType tracks whether a node is online. + // When True, the node is online with reason "Online". This is the normal operating state. + // When False, the node is offline with reason "Offline". This can occur during reboots, failures, maintenance, or replacement. + NodeOnlineConditionType = "Online" + + // NodeInServiceConditionType tracks whether a node is in service (not in maintenance mode). + // A node in maintenance mode is ignored by pacemaker while maintenance mode is active. + // When True, the node is in service with reason "InService". This is the normal operating state. + // When False, the node is in maintenance mode with reason "InMaintenance". This is an unexpected state. + NodeInServiceConditionType = "InService" + + // NodeActiveConditionType tracks whether a node is active (not in standby mode). + // When a node enters standby mode, pacemaker moves its resources to other nodes in the cluster. + // In Two Node OpenShift with Fencing, we do not use standby mode during normal operation. + // When True, the node is active with reason "Active". This is the normal operating state. + // When False, the node is in standby mode with reason "Standby". This is an unexpected state. + NodeActiveConditionType = "Active" + + // NodeReadyConditionType tracks whether a node is ready (not in a pending state). + // A node in a pending state is in the process of joining or leaving the cluster. + // When True, the node is ready with reason "Ready". This is the normal operating state. + // When False, the node is pending with reason "Pending". This is expected to be temporary. + NodeReadyConditionType = "Ready" + + // NodeCleanConditionType tracks whether a node is in a clean state. + // An unclean state means that pacemaker was unable to confirm the node's state, which signifies issues + // in fencing, communication, or configuration. + // When True, the node is clean with reason "Clean". This is the normal operating state. + // When False, the node is unclean with reason "Unclean". This is an unexpected state. + NodeCleanConditionType = "Clean" + + // NodeMemberConditionType tracks whether a node is a member of the cluster. + // Some configurations may use remote nodes or ping nodes, which are nodes that are not members. + // For Two Node OpenShift with Fencing, we expect both nodes to be members. + // When True, the node is a member with reason "Member". This is the normal operating state. + // When False, the node is not a member with reason "NotMember". This is an unexpected state. + NodeMemberConditionType = "Member" + + // NodeFencingAvailableConditionType tracks whether a node can be fenced by at least one fencing agent. + // For Two Node OpenShift with Fencing, each node needs at least one healthy fencing agent to ensure + // that the cluster can recover from a node failure via STONITH (Shoot The Other Node In The Head). + // When True, at least one fencing agent is healthy with reason "FencingAvailable". + // When False, all fencing agents are unhealthy with reason "FencingUnavailable". This is a critical + // state that should degrade the operator. + NodeFencingAvailableConditionType = "FencingAvailable" + + // NodeFencingHealthyConditionType tracks whether all fencing agents for a node are healthy. + // This is an aggregate condition that reflects the health of all fencing agents targeting this node. + // When True, all fencing agents are healthy with reason "FencingHealthy". + // When False, one or more fencing agents are unhealthy with reason "FencingUnhealthy". Warning events + // should be emitted for failing agents, but the operator should not be degraded if FencingAvailable is True. + NodeFencingHealthyConditionType = "FencingHealthy" +) + +// NodeHealthy condition reasons +const ( + // NodeHealthyReasonHealthy means the node is healthy and operating normally. + NodeHealthyReasonHealthy = "NodeHealthy" + + // NodeHealthyReasonUnhealthy means the node has issues that need investigation. + NodeHealthyReasonUnhealthy = "NodeUnhealthy" +) + +// NodeOnline condition reasons +const ( + // NodeOnlineReasonOnline means the node is online. This is the normal operating state. + NodeOnlineReasonOnline = "Online" + + // NodeOnlineReasonOffline means the node is offline. + NodeOnlineReasonOffline = "Offline" +) + +// NodeInService condition reasons +const ( + // NodeInServiceReasonInService means the node is in service (not in maintenance mode). + // This is the normal operating state. + NodeInServiceReasonInService = "InService" + + // NodeInServiceReasonInMaintenance means the node is in maintenance mode. + // This is an unexpected state. + NodeInServiceReasonInMaintenance = "InMaintenance" +) + +// NodeActive condition reasons +const ( + // NodeActiveReasonActive means the node is active (not in standby mode). + // This is the normal operating state. + NodeActiveReasonActive = "Active" + + // NodeActiveReasonStandby means the node is in standby mode. + // This is an unexpected state. + NodeActiveReasonStandby = "Standby" +) + +// NodeReady condition reasons +const ( + // NodeReadyReasonReady means the node is ready (not in a pending state). + // This is the normal operating state. + NodeReadyReasonReady = "Ready" + + // NodeReadyReasonPending means the node is joining or leaving the cluster. + // This state is expected to be temporary. + NodeReadyReasonPending = "Pending" +) + +// NodeClean condition reasons +const ( + // NodeCleanReasonClean means the node is in a clean state. + // This is the normal operating state. + NodeCleanReasonClean = "Clean" + + // NodeCleanReasonUnclean means the node is in an unclean state. + // Pacemaker was unable to confirm the node's state, which signifies issues in fencing, communication, or configuration. + // This is an unexpected state. + NodeCleanReasonUnclean = "Unclean" +) + +// NodeMember condition reasons +const ( + // NodeMemberReasonMember means the node is a member of the cluster. + // For Two Node OpenShift with Fencing, we expect both nodes to be members. This is the normal operating state. + NodeMemberReasonMember = "Member" + + // NodeMemberReasonNotMember means the node is not a member of the cluster. + // This is an unexpected state. + NodeMemberReasonNotMember = "NotMember" +) + +// NodeFencingAvailable condition reasons +const ( + // NodeFencingAvailableReasonAvailable means at least one fencing agent for this node is healthy. + // The cluster can fence this node if needed. This is the normal operating state. + NodeFencingAvailableReasonAvailable = "FencingAvailable" + + // NodeFencingAvailableReasonUnavailable means all fencing agents for this node are unhealthy. + // The cluster cannot fence this node, which compromises high availability. + // This is a critical state that should degrade the operator. + NodeFencingAvailableReasonUnavailable = "FencingUnavailable" +) + +// NodeFencingHealthy condition reasons +const ( + // NodeFencingHealthyReasonHealthy means all fencing agents for this node are healthy. + // This is the ideal operating state with full redundancy. + NodeFencingHealthyReasonHealthy = "FencingHealthy" + + // NodeFencingHealthyReasonUnhealthy means one or more fencing agents for this node are unhealthy. + // Warning events should be emitted for failing agents, but the operator should not be degraded + // if FencingAvailable is still True. + NodeFencingHealthyReasonUnhealthy = "FencingUnhealthy" +) + +// Resource-level condition types for PacemakerCluster.status.nodes[].resources[].conditions +const ( + // ResourceHealthyConditionType tracks the overall health of a pacemaker resource. + // This is an aggregate condition that reflects the health of all resource-level conditions. + // Specifically, it aggregates the following conditions: + // - ResourceInServiceConditionType + // - ResourceManagedConditionType + // - ResourceEnabledConditionType + // - ResourceOperationalConditionType + // - ResourceActiveConditionType + // - ResourceStartedConditionType + // - ResourceSchedulableConditionType + // When True, the resource is healthy with reason "ResourceHealthy". + // When False, the resource is unhealthy with reason "ResourceUnhealthy". + ResourceHealthyConditionType = "Healthy" + + // ResourceInServiceConditionType tracks whether a resource is in service (not in maintenance mode). + // Resources in maintenance mode are not monitored or moved by pacemaker. + // In Two Node OpenShift with Fencing, we do not expect any resources to be in maintenance mode. + // When True, the resource is in service with reason "InService". This is the normal operating state. + // When False, the resource is in maintenance mode with reason "InMaintenance". This is an unexpected state. + ResourceInServiceConditionType = "InService" + + // ResourceManagedConditionType tracks whether a resource is managed by pacemaker. + // Resources that are not managed by pacemaker are effectively invisible to the pacemaker HA logic. + // For Two Node OpenShift with Fencing, all resources are expected to be managed. + // When True, the resource is managed with reason "Managed". This is the normal operating state. + // When False, the resource is not managed with reason "Unmanaged". This is an unexpected state. + ResourceManagedConditionType = "Managed" + + // ResourceEnabledConditionType tracks whether a resource is enabled. + // Resources that are disabled are stopped and not automatically managed or started by the cluster. + // In Two Node OpenShift with Fencing, we do not expect any resources to be disabled. + // When True, the resource is enabled with reason "Enabled". This is the normal operating state. + // When False, the resource is disabled with reason "Disabled". This is an unexpected state. + ResourceEnabledConditionType = "Enabled" + + // ResourceOperationalConditionType tracks whether a resource is operational (not failed). + // A failed resource is one that is not able to start or is in an error state. + // When True, the resource is operational with reason "Operational". This is the normal operating state. + // When False, the resource has failed with reason "Failed". This is an unexpected state. + ResourceOperationalConditionType = "Operational" + + // ResourceActiveConditionType tracks whether a resource is active. + // An active resource is running on a cluster node. + // In Two Node OpenShift with Fencing, all resources are expected to be active. + // When True, the resource is active with reason "Active". This is the normal operating state. + // When False, the resource is not active with reason "Inactive". This is an unexpected state. + ResourceActiveConditionType = "Active" + + // ResourceStartedConditionType tracks whether a resource is started. + // It's normal for a resource like etcd to become stopped in the event of a quorum loss event because + // the pacemaker recovery logic will fence a node and restore etcd quorum on the surviving node as a cluster-of-one. + // A resource that stays stopped for an extended period of time is an unexpected state and should be investigated. + // When True, the resource is started with reason "Started". This is the normal operating state. + // When False, the resource is not started with reason "Stopped". This is expected to be temporary. + ResourceStartedConditionType = "Started" + + // ResourceSchedulableConditionType tracks whether a resource is schedulable (not blocked). + // A resource that is not schedulable is unable to start or move to a different node. + // In Two Node OpenShift with Fencing, we do not expect any resources to be unschedulable. + // When True, the resource is schedulable with reason "Schedulable". This is the normal operating state. + // When False, the resource is not schedulable with reason "Unschedulable". This is an unexpected state. + ResourceSchedulableConditionType = "Schedulable" +) + +// ResourceHealthy condition reasons +const ( + // ResourceHealthyReasonHealthy means the resource is healthy and operating normally. + ResourceHealthyReasonHealthy = "ResourceHealthy" + + // ResourceHealthyReasonUnhealthy means the resource has issues that need investigation. + ResourceHealthyReasonUnhealthy = "ResourceUnhealthy" +) + +// ResourceInService condition reasons +const ( + // ResourceInServiceReasonInService means the resource is in service (not in maintenance mode). + // This is the normal operating state. + ResourceInServiceReasonInService = "InService" + + // ResourceInServiceReasonInMaintenance means the resource is in maintenance mode. + // Resources in maintenance mode are not monitored or moved by pacemaker. This is an unexpected state. + ResourceInServiceReasonInMaintenance = "InMaintenance" +) + +// ResourceManaged condition reasons +const ( + // ResourceManagedReasonManaged means the resource is managed by pacemaker. + // This is the normal operating state. + ResourceManagedReasonManaged = "Managed" + + // ResourceManagedReasonUnmanaged means the resource is not managed by pacemaker. + // Resources that are not managed by pacemaker are effectively invisible to the pacemaker HA logic. + // This is an unexpected state. + ResourceManagedReasonUnmanaged = "Unmanaged" +) + +// ResourceEnabled condition reasons +const ( + // ResourceEnabledReasonEnabled means the resource is enabled. + // This is the normal operating state. + ResourceEnabledReasonEnabled = "Enabled" + + // ResourceEnabledReasonDisabled means the resource is disabled. + // Resources that are disabled are stopped and not automatically managed or started by the cluster. + // This is an unexpected state. + ResourceEnabledReasonDisabled = "Disabled" +) + +// ResourceOperational condition reasons +const ( + // ResourceOperationalReasonOperational means the resource is operational (not failed). + // This is the normal operating state. + ResourceOperationalReasonOperational = "Operational" + + // ResourceOperationalReasonFailed means the resource has failed. + // A failed resource is one that is not able to start or is in an error state. This is an unexpected state. + ResourceOperationalReasonFailed = "Failed" +) + +// ResourceActive condition reasons +const ( + // ResourceActiveReasonActive means the resource is active. + // An active resource is running on a cluster node. This is the normal operating state. + ResourceActiveReasonActive = "Active" + + // ResourceActiveReasonInactive means the resource is not active. + // This is an unexpected state. + ResourceActiveReasonInactive = "Inactive" +) + +// ResourceStarted condition reasons +const ( + // ResourceStartedReasonStarted means the resource is started. + // This is the normal operating state. + ResourceStartedReasonStarted = "Started" + + // ResourceStartedReasonStopped means the resource is stopped. + // It's normal for a resource like etcd to become stopped in the event of a quorum loss event because + // the pacemaker recovery logic will fence a node and restore etcd quorum on the surviving node as a cluster-of-one. + // A resource that stays stopped for an extended period of time is an unexpected state and should be investigated. + ResourceStartedReasonStopped = "Stopped" +) + +// ResourceSchedulable condition reasons +const ( + // ResourceSchedulableReasonSchedulable means the resource is schedulable (not blocked). + // This is the normal operating state. + ResourceSchedulableReasonSchedulable = "Schedulable" + + // ResourceSchedulableReasonUnschedulable means the resource is not schedulable (blocked). + // A resource that is not schedulable is unable to start or move to a different node. This is an unexpected state. + ResourceSchedulableReasonUnschedulable = "Unschedulable" +) + +// PacemakerNodeAddressType represents the type of a node address. +// Currently only InternalIP is supported. +// +kubebuilder:validation:Enum=InternalIP +// +enum +type PacemakerNodeAddressType string + +const ( + // PacemakerNodeInternalIP is an internal IP address assigned to the node. + // This is typically the IP address used for intra-cluster communication. + PacemakerNodeInternalIP PacemakerNodeAddressType = "InternalIP" +) + +// PacemakerNodeAddress contains information for a node's address. +// This is similar to corev1.NodeAddress but adds validation for IP addresses. +type PacemakerNodeAddress struct { + // type is the type of node address. + // Currently only "InternalIP" is supported. + // +required + Type PacemakerNodeAddressType `json:"type,omitempty"` + + // address is the node address. + // For InternalIP, this must be a valid global unicast IPv4 or IPv6 address in canonical form. + // Canonical form means the shortest standard representation (e.g., "192.168.1.1" not "192.168.001.001", + // or "2001:db8::1" not "2001:0db8::1"). Maximum length is 39 characters (full IPv6 address). + // Global unicast includes private/RFC1918 addresses but excludes loopback, link-local, and multicast. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=39 + // +kubebuilder:validation:XValidation:rule="isIP(self) && ip.isCanonical(self) && ip(self).isGlobalUnicast()",message="must be a valid global unicast IPv4 or IPv6 address in canonical form" + // +required + Address string `json:"address,omitempty"` +} + +// PacemakerClusterResourceName represents the name of a pacemaker resource. +// Fencing agents are tracked separately in the fencingAgents field. +// +kubebuilder:validation:Enum=Kubelet;Etcd +// +enum +type PacemakerClusterResourceName string + +// PacemakerClusterResourceName values +const ( + // PacemakerClusterResourceNameKubelet is the kubelet pacemaker resource. + // The kubelet resource is a prerequisite for etcd in Two Node OpenShift with Fencing deployments. + PacemakerClusterResourceNameKubelet PacemakerClusterResourceName = "Kubelet" + + // PacemakerClusterResourceNameEtcd is the etcd pacemaker resource. + // The etcd resource may temporarily transition to stopped during pacemaker quorum-recovery operations. + PacemakerClusterResourceNameEtcd PacemakerClusterResourceName = "Etcd" +) + +// FencingMethod represents the method used by a fencing agent to isolate failed nodes. +// Valid values are "Redfish" and "IPMI". +// +kubebuilder:validation:Enum=Redfish;IPMI +// +enum +type FencingMethod string + +// FencingMethod values +const ( + // FencingMethodRedfish uses Redfish, a standard RESTful API for server management. + FencingMethodRedfish FencingMethod = "Redfish" + + // FencingMethodIPMI uses IPMI (Intelligent Platform Management Interface), a hardware management interface. + FencingMethodIPMI FencingMethod = "IPMI" +) + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// PacemakerCluster represents the current state of the pacemaker cluster as reported by the pcs status command. +// PacemakerCluster is a cluster-scoped singleton resource. The name of this instance is "cluster". This +// resource provides a view into the health and status of a pacemaker-managed cluster in Two Node OpenShift with Fencing deployments. +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=pacemakerclusters,scope=Cluster,singular=pacemakercluster +// +kubebuilder:subresource:status +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2544 +// +openshift:file-pattern=cvoRunLevel=0000_25,operatorName=etcd,operatorOrdering=01,operatorComponent=two-node-fencing +// +openshift:enable:FeatureGate=DualReplica +// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'cluster'",message="PacemakerCluster must be named 'cluster'" +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.status) || has(self.status)",message="status may not be removed once set" +type PacemakerCluster struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +required + metav1.ObjectMeta `json:"metadata,omitempty"` + + // status contains the actual pacemaker cluster status information collected from the cluster. + // The goal of this status is to be able to quickly identify if pacemaker is in a healthy state. + // In Two Node OpenShift with Fencing, a healthy pacemaker cluster has 2 nodes, both of which have healthy kubelet, etcd, and fencing resources. + // This field is optional on creation - the status collector populates it immediately after creating + // the resource via the status subresource. + // +optional + Status PacemakerClusterStatus `json:"status,omitzero"` +} + +// PacemakerClusterStatus contains the actual pacemaker cluster status information. As part of validating the status +// object, we need to ensure that the lastUpdated timestamp may not be set to an earlier timestamp than the current value. +// The validation rule checks if oldSelf has lastUpdated before comparing, to handle the initial status creation case. +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.lastUpdated) || self.lastUpdated >= oldSelf.lastUpdated",message="lastUpdated may not be set to an earlier timestamp" +type PacemakerClusterStatus struct { + // conditions represent the observations of the pacemaker cluster's current state. + // Known condition types are: "Healthy", "InService", "NodeCountAsExpected". + // The "Healthy" condition is an aggregate that tracks the overall health of the cluster. + // The "InService" condition tracks whether the cluster is in service (not in maintenance mode). + // The "NodeCountAsExpected" condition tracks whether the expected number of nodes are present. + // Each of these conditions is required, so the array must contain at least 3 items. + // +listType=map + // +listMapKey=type + // +kubebuilder:validation:MinItems=3 + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Healthy')",message="conditions must contain a condition of type Healthy" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'InService')",message="conditions must contain a condition of type InService" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'NodeCountAsExpected')",message="conditions must contain a condition of type NodeCountAsExpected" + // +required + Conditions []metav1.Condition `json:"conditions,omitempty"` + + // lastUpdated is the timestamp when this status was last updated. This is useful for identifying + // stale status reports. It must be a valid timestamp in RFC3339 format. Once set, this field cannot + // be removed and cannot be set to an earlier timestamp than the current value. + // +kubebuilder:validation:Format=date-time + // +required + LastUpdated metav1.Time `json:"lastUpdated,omitempty,omitzero"` + + // nodes provides detailed status for each control-plane node in the Pacemaker cluster. + // While Pacemaker supports up to 32 nodes, the limit is set to 5 (max OpenShift control-plane nodes). + // For Two Node OpenShift with Fencing, exactly 2 nodes are expected in a healthy cluster. + // An empty list indicates a catastrophic failure where Pacemaker reports no nodes. + // +listType=map + // +listMapKey=nodeName + // +kubebuilder:validation:MinItems=0 + // +kubebuilder:validation:MaxItems=5 + // +required + Nodes *[]PacemakerClusterNodeStatus `json:"nodes,omitempty"` +} + +// PacemakerClusterNodeStatus represents the status of a single node in the pacemaker cluster including +// the node's conditions and the health of critical resources running on that node. +type PacemakerClusterNodeStatus struct { + // conditions represent the observations of the node's current state. + // Known condition types are: "Healthy", "Online", "InService", "Active", "Ready", "Clean", "Member", + // "FencingAvailable", "FencingHealthy". + // The "Healthy" condition is an aggregate that tracks the overall health of the node. + // The "Online" condition tracks whether the node is online. + // The "InService" condition tracks whether the node is in service (not in maintenance mode). + // The "Active" condition tracks whether the node is active (not in standby mode). + // The "Ready" condition tracks whether the node is ready (not in a pending state). + // The "Clean" condition tracks whether the node is in a clean (status known) state. + // The "Member" condition tracks whether the node is a member of the cluster. + // The "FencingAvailable" condition tracks whether this node can be fenced by at least one healthy agent. + // The "FencingHealthy" condition tracks whether all fencing agents for this node are healthy. + // Each of these conditions is required, so the array must contain at least 9 items. + // +listType=map + // +listMapKey=type + // +kubebuilder:validation:MinItems=9 + // +kubebuilder:validation:MaxItems=16 + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Healthy')",message="conditions must contain a condition of type Healthy" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Online')",message="conditions must contain a condition of type Online" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'InService')",message="conditions must contain a condition of type InService" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Active')",message="conditions must contain a condition of type Active" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Ready')",message="conditions must contain a condition of type Ready" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Clean')",message="conditions must contain a condition of type Clean" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Member')",message="conditions must contain a condition of type Member" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'FencingAvailable')",message="conditions must contain a condition of type FencingAvailable" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'FencingHealthy')",message="conditions must contain a condition of type FencingHealthy" + // +required + Conditions []metav1.Condition `json:"conditions,omitempty"` + + // nodeName is the name of the node. This is expected to match the Kubernetes node's name, which must be a lowercase + // RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with + // an alphanumeric character, and be at most 253 characters in length. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="nodeName must be a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character" + // +required + NodeName string `json:"nodeName,omitempty"` + + // addresses is a list of IP addresses for the node. + // Pacemaker allows multiple IP addresses for Corosync communication between nodes. + // The first address in this list is used for IP-based peer URLs for etcd membership. + // Each address must be a valid global unicast IPv4 or IPv6 address in canonical form + // (e.g., "192.168.1.1" not "192.168.001.001", or "2001:db8::1" not "2001:0db8::1"). + // This excludes loopback, link-local, and multicast addresses. + // +listType=atomic + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=8 + // +required + Addresses []PacemakerNodeAddress `json:"addresses,omitempty"` + + // resources contains the status of pacemaker resources scheduled on this node. + // Each resource entry includes the resource name and its health conditions. + // For Two Node OpenShift with Fencing, we track Kubelet and Etcd resources per node. + // Both resources are required to be present, so the array must contain at least 2 items. + // Valid resource names are "Kubelet" and "Etcd". + // Fencing agents are tracked separately in the fencingAgents field. + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MinItems=2 + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:XValidation:rule="self.exists(r, r.name == 'Kubelet')",message="resources must contain a resource named Kubelet" + // +kubebuilder:validation:XValidation:rule="self.exists(r, r.name == 'Etcd')",message="resources must contain a resource named Etcd" + // +required + Resources []PacemakerClusterResourceStatus `json:"resources,omitempty"` + + // fencingAgents contains the status of fencing agents that can fence this node. + // Unlike resources (which are scheduled to run on this node), fencing agents are mapped + // to the node they can fence (their target), not the node where monitoring operations run. + // Each fencing agent entry includes a unique name, fencing type, target node, and health conditions. + // A node is considered fence-capable if at least one fencing agent is healthy. + // A healthy node is expected to have at least 1 fencing agent, but the list may be empty + // when fencing agent discovery fails. + // Names must be unique within this array. + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MinItems=0 + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.name == y.name))",message="fencing agent names must be unique" + // +required + FencingAgents []PacemakerClusterFencingAgentStatus `json:"fencingAgents,omitempty"` +} + +// PacemakerClusterFencingAgentStatus represents the status of a fencing agent that can fence a node. +// Fencing agents are STONITH (Shoot The Other Node In The Head) devices used to isolate failed nodes. +// Unlike regular pacemaker resources, fencing agents are mapped to their target node (the node they +// can fence), not the node where their monitoring operations are scheduled. +type PacemakerClusterFencingAgentStatus struct { + // conditions represent the observations of the fencing agent's current state. + // Known condition types are: "Healthy", "InService", "Managed", "Enabled", "Operational", + // "Active", "Started", "Schedulable". + // The "Healthy" condition is an aggregate that tracks the overall health of the fencing agent. + // The "InService" condition tracks whether the fencing agent is in service (not in maintenance mode). + // The "Managed" condition tracks whether the fencing agent is managed by pacemaker. + // The "Enabled" condition tracks whether the fencing agent is enabled. + // The "Operational" condition tracks whether the fencing agent is operational (not failed). + // The "Active" condition tracks whether the fencing agent is active (available to be used). + // The "Started" condition tracks whether the fencing agent is started. + // The "Schedulable" condition tracks whether the fencing agent is schedulable (not blocked). + // Each of these conditions is required, so the array must contain at least 8 items. + // +listType=map + // +listMapKey=type + // +kubebuilder:validation:MinItems=8 + // +kubebuilder:validation:MaxItems=16 + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Healthy')",message="conditions must contain a condition of type Healthy" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'InService')",message="conditions must contain a condition of type InService" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Managed')",message="conditions must contain a condition of type Managed" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Enabled')",message="conditions must contain a condition of type Enabled" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Operational')",message="conditions must contain a condition of type Operational" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Active')",message="conditions must contain a condition of type Active" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Started')",message="conditions must contain a condition of type Started" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Schedulable')",message="conditions must contain a condition of type Schedulable" + // +required + Conditions []metav1.Condition `json:"conditions,omitempty"` + + // name is the unique identifier for this fencing agent (e.g., "master-0_redfish"). + // The name must be unique within the fencingAgents array for this node. + // It may contain alphanumeric characters, dots, hyphens, and underscores. + // Maximum length is 300 characters, providing headroom beyond the typical format of + // _ (253 for RFC 1123 node name + 1 underscore + type). + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=300 + // +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._-]+$')",message="name must contain only alphanumeric characters, dots, hyphens, and underscores" + // +required + Name string `json:"name,omitempty"` + + // method is the fencing method used by this agent. + // Valid values are "Redfish" and "IPMI". + // Redfish is a standard RESTful API for server management. + // IPMI (Intelligent Platform Management Interface) is a hardware management interface. + // +required + Method FencingMethod `json:"method,omitempty"` +} + +// PacemakerClusterResourceStatus represents the status of a pacemaker resource scheduled on a node. +// A pacemaker resource is a unit of work managed by pacemaker. In pacemaker terminology, resources are services or +// applications that pacemaker monitors, starts, stops, and moves between nodes to maintain high availability. +// For Two Node OpenShift with Fencing, we track two resources per node: +// - Kubelet (the Kubernetes node agent and a prerequisite for etcd) +// - Etcd (the distributed key-value store) +// +// Fencing agents are tracked separately in the fencingAgents field because they are mapped to +// their target node (the node they can fence), not the node where monitoring operations are scheduled. +type PacemakerClusterResourceStatus struct { + // conditions represent the observations of the resource's current state. + // Known condition types are: "Healthy", "InService", "Managed", "Enabled", "Operational", + // "Active", "Started", "Schedulable". + // The "Healthy" condition is an aggregate that tracks the overall health of the resource. + // The "InService" condition tracks whether the resource is in service (not in maintenance mode). + // The "Managed" condition tracks whether the resource is managed by pacemaker. + // The "Enabled" condition tracks whether the resource is enabled. + // The "Operational" condition tracks whether the resource is operational (not failed). + // The "Active" condition tracks whether the resource is active (available to be used). + // The "Started" condition tracks whether the resource is started. + // The "Schedulable" condition tracks whether the resource is schedulable (not blocked). + // Each of these conditions is required, so the array must contain at least 8 items. + // +listType=map + // +listMapKey=type + // +kubebuilder:validation:MinItems=8 + // +kubebuilder:validation:MaxItems=16 + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Healthy')",message="conditions must contain a condition of type Healthy" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'InService')",message="conditions must contain a condition of type InService" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Managed')",message="conditions must contain a condition of type Managed" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Enabled')",message="conditions must contain a condition of type Enabled" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Operational')",message="conditions must contain a condition of type Operational" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Active')",message="conditions must contain a condition of type Active" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Started')",message="conditions must contain a condition of type Started" + // +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Schedulable')",message="conditions must contain a condition of type Schedulable" + // +required + Conditions []metav1.Condition `json:"conditions,omitempty"` + + // name is the name of the pacemaker resource. + // Valid values are "Kubelet" and "Etcd". + // The Kubelet resource is a prerequisite for etcd in Two Node OpenShift with Fencing deployments. + // The Etcd resource may temporarily transition to stopped during pacemaker quorum-recovery operations. + // Fencing agents are tracked separately in the node's fencingAgents field. + // +required + Name PacemakerClusterResourceName `json:"name,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// PacemakerClusterList contains a list of PacemakerCluster objects. PacemakerCluster is a cluster-scoped singleton +// resource; only one instance named "cluster" may exist. This list type exists only to satisfy Kubernetes API +// conventions. +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type PacemakerClusterList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ListMeta `json:"metadata,omitempty"` + + // items is a list of PacemakerCluster objects. + Items []PacemakerCluster `json:"items"` +} diff --git a/vendor/github.com/openshift/api/etcd/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/etcd/v1/zz_generated.deepcopy.go new file mode 100644 index 0000000000..c529240e40 --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1/zz_generated.deepcopy.go @@ -0,0 +1,210 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +// Code generated by codegen. DO NOT EDIT. + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerCluster) DeepCopyInto(out *PacemakerCluster) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerCluster. +func (in *PacemakerCluster) DeepCopy() *PacemakerCluster { + if in == nil { + return nil + } + out := new(PacemakerCluster) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PacemakerCluster) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerClusterFencingAgentStatus) DeepCopyInto(out *PacemakerClusterFencingAgentStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterFencingAgentStatus. +func (in *PacemakerClusterFencingAgentStatus) DeepCopy() *PacemakerClusterFencingAgentStatus { + if in == nil { + return nil + } + out := new(PacemakerClusterFencingAgentStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerClusterList) DeepCopyInto(out *PacemakerClusterList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]PacemakerCluster, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterList. +func (in *PacemakerClusterList) DeepCopy() *PacemakerClusterList { + if in == nil { + return nil + } + out := new(PacemakerClusterList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PacemakerClusterList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerClusterNodeStatus) DeepCopyInto(out *PacemakerClusterNodeStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Addresses != nil { + in, out := &in.Addresses, &out.Addresses + *out = make([]PacemakerNodeAddress, len(*in)) + copy(*out, *in) + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]PacemakerClusterResourceStatus, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.FencingAgents != nil { + in, out := &in.FencingAgents, &out.FencingAgents + *out = make([]PacemakerClusterFencingAgentStatus, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterNodeStatus. +func (in *PacemakerClusterNodeStatus) DeepCopy() *PacemakerClusterNodeStatus { + if in == nil { + return nil + } + out := new(PacemakerClusterNodeStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerClusterResourceStatus) DeepCopyInto(out *PacemakerClusterResourceStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterResourceStatus. +func (in *PacemakerClusterResourceStatus) DeepCopy() *PacemakerClusterResourceStatus { + if in == nil { + return nil + } + out := new(PacemakerClusterResourceStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerClusterStatus) DeepCopyInto(out *PacemakerClusterStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + in.LastUpdated.DeepCopyInto(&out.LastUpdated) + if in.Nodes != nil { + in, out := &in.Nodes, &out.Nodes + *out = new([]PacemakerClusterNodeStatus) + if **in != nil { + in, out := *in, *out + *out = make([]PacemakerClusterNodeStatus, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterStatus. +func (in *PacemakerClusterStatus) DeepCopy() *PacemakerClusterStatus { + if in == nil { + return nil + } + out := new(PacemakerClusterStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacemakerNodeAddress) DeepCopyInto(out *PacemakerNodeAddress) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerNodeAddress. +func (in *PacemakerNodeAddress) DeepCopy() *PacemakerNodeAddress { + if in == nil { + return nil + } + out := new(PacemakerNodeAddress) + in.DeepCopyInto(out) + return out +} diff --git a/vendor/github.com/openshift/api/etcd/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/etcd/v1/zz_generated.featuregated-crd-manifests.yaml new file mode 100644 index 0000000000..1a11a877c4 --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1/zz_generated.featuregated-crd-manifests.yaml @@ -0,0 +1,23 @@ +pacemakerclusters.etcd.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2544 + CRDName: pacemakerclusters.etcd.openshift.io + Capability: "" + Category: "" + FeatureGates: + - DualReplica + FilenameOperatorName: etcd + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_25" + GroupName: etcd.openshift.io + HasStatus: true + KindName: PacemakerCluster + Labels: {} + PluralName: pacemakerclusters + PrinterColumns: [] + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - DualReplica + Version: v1 + diff --git a/vendor/github.com/openshift/api/etcd/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/etcd/v1/zz_generated.swagger_doc_generated.go new file mode 100644 index 0000000000..e9e47b47cf --- /dev/null +++ b/vendor/github.com/openshift/api/etcd/v1/zz_generated.swagger_doc_generated.go @@ -0,0 +1,89 @@ +package v1 + +// This file contains a collection of methods that can be used from go-restful to +// generate Swagger API documentation for its models. Please read this PR for more +// information on the implementation: https://github.com/emicklei/go-restful/pull/215 +// +// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if +// they are on one line! For multiple line or blocks that you want to ignore use ---. +// Any context after a --- is ignored. +// +// Those methods can be generated by using hack/update-swagger-docs.sh + +// AUTO-GENERATED FUNCTIONS START HERE +var map_PacemakerCluster = map[string]string{ + "": "PacemakerCluster represents the current state of the pacemaker cluster as reported by the pcs status command. PacemakerCluster is a cluster-scoped singleton resource. The name of this instance is \"cluster\". This resource provides a view into the health and status of a pacemaker-managed cluster in Two Node OpenShift with Fencing deployments.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "status": "status contains the actual pacemaker cluster status information collected from the cluster. The goal of this status is to be able to quickly identify if pacemaker is in a healthy state. In Two Node OpenShift with Fencing, a healthy pacemaker cluster has 2 nodes, both of which have healthy kubelet, etcd, and fencing resources. This field is optional on creation - the status collector populates it immediately after creating the resource via the status subresource.", +} + +func (PacemakerCluster) SwaggerDoc() map[string]string { + return map_PacemakerCluster +} + +var map_PacemakerClusterFencingAgentStatus = map[string]string{ + "": "PacemakerClusterFencingAgentStatus represents the status of a fencing agent that can fence a node. Fencing agents are STONITH (Shoot The Other Node In The Head) devices used to isolate failed nodes. Unlike regular pacemaker resources, fencing agents are mapped to their target node (the node they can fence), not the node where their monitoring operations are scheduled.", + "conditions": "conditions represent the observations of the fencing agent's current state. Known condition types are: \"Healthy\", \"InService\", \"Managed\", \"Enabled\", \"Operational\", \"Active\", \"Started\", \"Schedulable\". The \"Healthy\" condition is an aggregate that tracks the overall health of the fencing agent. The \"InService\" condition tracks whether the fencing agent is in service (not in maintenance mode). The \"Managed\" condition tracks whether the fencing agent is managed by pacemaker. The \"Enabled\" condition tracks whether the fencing agent is enabled. The \"Operational\" condition tracks whether the fencing agent is operational (not failed). The \"Active\" condition tracks whether the fencing agent is active (available to be used). The \"Started\" condition tracks whether the fencing agent is started. The \"Schedulable\" condition tracks whether the fencing agent is schedulable (not blocked). Each of these conditions is required, so the array must contain at least 8 items.", + "name": "name is the unique identifier for this fencing agent (e.g., \"master-0_redfish\"). The name must be unique within the fencingAgents array for this node. It may contain alphanumeric characters, dots, hyphens, and underscores. Maximum length is 300 characters, providing headroom beyond the typical format of _ (253 for RFC 1123 node name + 1 underscore + type).", + "method": "method is the fencing method used by this agent. Valid values are \"Redfish\" and \"IPMI\". Redfish is a standard RESTful API for server management. IPMI (Intelligent Platform Management Interface) is a hardware management interface.", +} + +func (PacemakerClusterFencingAgentStatus) SwaggerDoc() map[string]string { + return map_PacemakerClusterFencingAgentStatus +} + +var map_PacemakerClusterList = map[string]string{ + "": "PacemakerClusterList contains a list of PacemakerCluster objects. PacemakerCluster is a cluster-scoped singleton resource; only one instance named \"cluster\" may exist. This list type exists only to satisfy Kubernetes API conventions.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "items is a list of PacemakerCluster objects.", +} + +func (PacemakerClusterList) SwaggerDoc() map[string]string { + return map_PacemakerClusterList +} + +var map_PacemakerClusterNodeStatus = map[string]string{ + "": "PacemakerClusterNodeStatus represents the status of a single node in the pacemaker cluster including the node's conditions and the health of critical resources running on that node.", + "conditions": "conditions represent the observations of the node's current state. Known condition types are: \"Healthy\", \"Online\", \"InService\", \"Active\", \"Ready\", \"Clean\", \"Member\", \"FencingAvailable\", \"FencingHealthy\". The \"Healthy\" condition is an aggregate that tracks the overall health of the node. The \"Online\" condition tracks whether the node is online. The \"InService\" condition tracks whether the node is in service (not in maintenance mode). The \"Active\" condition tracks whether the node is active (not in standby mode). The \"Ready\" condition tracks whether the node is ready (not in a pending state). The \"Clean\" condition tracks whether the node is in a clean (status known) state. The \"Member\" condition tracks whether the node is a member of the cluster. The \"FencingAvailable\" condition tracks whether this node can be fenced by at least one healthy agent. The \"FencingHealthy\" condition tracks whether all fencing agents for this node are healthy. Each of these conditions is required, so the array must contain at least 9 items.", + "nodeName": "nodeName is the name of the node. This is expected to match the Kubernetes node's name, which must be a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with an alphanumeric character, and be at most 253 characters in length.", + "addresses": "addresses is a list of IP addresses for the node. Pacemaker allows multiple IP addresses for Corosync communication between nodes. The first address in this list is used for IP-based peer URLs for etcd membership. Each address must be a valid global unicast IPv4 or IPv6 address in canonical form (e.g., \"192.168.1.1\" not \"192.168.001.001\", or \"2001:db8::1\" not \"2001:0db8::1\"). This excludes loopback, link-local, and multicast addresses.", + "resources": "resources contains the status of pacemaker resources scheduled on this node. Each resource entry includes the resource name and its health conditions. For Two Node OpenShift with Fencing, we track Kubelet and Etcd resources per node. Both resources are required to be present, so the array must contain at least 2 items. Valid resource names are \"Kubelet\" and \"Etcd\". Fencing agents are tracked separately in the fencingAgents field.", + "fencingAgents": "fencingAgents contains the status of fencing agents that can fence this node. Unlike resources (which are scheduled to run on this node), fencing agents are mapped to the node they can fence (their target), not the node where monitoring operations run. Each fencing agent entry includes a unique name, fencing type, target node, and health conditions. A node is considered fence-capable if at least one fencing agent is healthy. A healthy node is expected to have at least 1 fencing agent, but the list may be empty when fencing agent discovery fails. Names must be unique within this array.", +} + +func (PacemakerClusterNodeStatus) SwaggerDoc() map[string]string { + return map_PacemakerClusterNodeStatus +} + +var map_PacemakerClusterResourceStatus = map[string]string{ + "": "PacemakerClusterResourceStatus represents the status of a pacemaker resource scheduled on a node. A pacemaker resource is a unit of work managed by pacemaker. In pacemaker terminology, resources are services or applications that pacemaker monitors, starts, stops, and moves between nodes to maintain high availability. For Two Node OpenShift with Fencing, we track two resources per node:\n - Kubelet (the Kubernetes node agent and a prerequisite for etcd)\n - Etcd (the distributed key-value store)\n\nFencing agents are tracked separately in the fencingAgents field because they are mapped to their target node (the node they can fence), not the node where monitoring operations are scheduled.", + "conditions": "conditions represent the observations of the resource's current state. Known condition types are: \"Healthy\", \"InService\", \"Managed\", \"Enabled\", \"Operational\", \"Active\", \"Started\", \"Schedulable\". The \"Healthy\" condition is an aggregate that tracks the overall health of the resource. The \"InService\" condition tracks whether the resource is in service (not in maintenance mode). The \"Managed\" condition tracks whether the resource is managed by pacemaker. The \"Enabled\" condition tracks whether the resource is enabled. The \"Operational\" condition tracks whether the resource is operational (not failed). The \"Active\" condition tracks whether the resource is active (available to be used). The \"Started\" condition tracks whether the resource is started. The \"Schedulable\" condition tracks whether the resource is schedulable (not blocked). Each of these conditions is required, so the array must contain at least 8 items.", + "name": "name is the name of the pacemaker resource. Valid values are \"Kubelet\" and \"Etcd\". The Kubelet resource is a prerequisite for etcd in Two Node OpenShift with Fencing deployments. The Etcd resource may temporarily transition to stopped during pacemaker quorum-recovery operations. Fencing agents are tracked separately in the node's fencingAgents field.", +} + +func (PacemakerClusterResourceStatus) SwaggerDoc() map[string]string { + return map_PacemakerClusterResourceStatus +} + +var map_PacemakerClusterStatus = map[string]string{ + "": "PacemakerClusterStatus contains the actual pacemaker cluster status information. As part of validating the status object, we need to ensure that the lastUpdated timestamp may not be set to an earlier timestamp than the current value. The validation rule checks if oldSelf has lastUpdated before comparing, to handle the initial status creation case.", + "conditions": "conditions represent the observations of the pacemaker cluster's current state. Known condition types are: \"Healthy\", \"InService\", \"NodeCountAsExpected\". The \"Healthy\" condition is an aggregate that tracks the overall health of the cluster. The \"InService\" condition tracks whether the cluster is in service (not in maintenance mode). The \"NodeCountAsExpected\" condition tracks whether the expected number of nodes are present. Each of these conditions is required, so the array must contain at least 3 items.", + "lastUpdated": "lastUpdated is the timestamp when this status was last updated. This is useful for identifying stale status reports. It must be a valid timestamp in RFC3339 format. Once set, this field cannot be removed and cannot be set to an earlier timestamp than the current value.", + "nodes": "nodes provides detailed status for each control-plane node in the Pacemaker cluster. While Pacemaker supports up to 32 nodes, the limit is set to 5 (max OpenShift control-plane nodes). For Two Node OpenShift with Fencing, exactly 2 nodes are expected in a healthy cluster. An empty list indicates a catastrophic failure where Pacemaker reports no nodes.", +} + +func (PacemakerClusterStatus) SwaggerDoc() map[string]string { + return map_PacemakerClusterStatus +} + +var map_PacemakerNodeAddress = map[string]string{ + "": "PacemakerNodeAddress contains information for a node's address. This is similar to corev1.NodeAddress but adds validation for IP addresses.", + "type": "type is the type of node address. Currently only \"InternalIP\" is supported.", + "address": "address is the node address. For InternalIP, this must be a valid global unicast IPv4 or IPv6 address in canonical form. Canonical form means the shortest standard representation (e.g., \"192.168.1.1\" not \"192.168.001.001\", or \"2001:db8::1\" not \"2001:0db8::1\"). Maximum length is 39 characters (full IPv6 address). Global unicast includes private/RFC1918 addresses but excludes loopback, link-local, and multicast.", +} + +func (PacemakerNodeAddress) SwaggerDoc() map[string]string { + return map_PacemakerNodeAddress +} + +// AUTO-GENERATED FUNCTIONS END HERE diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go b/vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go index ab06d0e390..b627413474 100644 --- a/vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go +++ b/vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go @@ -609,11 +609,12 @@ type PacemakerClusterNodeStatus struct { // to the node they can fence (their target), not the node where monitoring operations run. // Each fencing agent entry includes a unique name, fencing type, target node, and health conditions. // A node is considered fence-capable if at least one fencing agent is healthy. - // Expected to have 1 fencing agent per node, but up to 8 are supported for redundancy. + // A healthy node is expected to have at least 1 fencing agent, but the list may be empty + // when fencing agent discovery fails. // Names must be unique within this array. // +listType=map // +listMapKey=name - // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MinItems=0 // +kubebuilder:validation:MaxItems=8 // +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.name == y.name))",message="fencing agent names must be unique" // +required diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go index 62e1c3ebd7..dc6f224288 100644 --- a/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go @@ -48,7 +48,7 @@ var map_PacemakerClusterNodeStatus = map[string]string{ "nodeName": "nodeName is the name of the node. This is expected to match the Kubernetes node's name, which must be a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with an alphanumeric character, and be at most 253 characters in length.", "addresses": "addresses is a list of IP addresses for the node. Pacemaker allows multiple IP addresses for Corosync communication between nodes. The first address in this list is used for IP-based peer URLs for etcd membership. Each address must be a valid global unicast IPv4 or IPv6 address in canonical form (e.g., \"192.168.1.1\" not \"192.168.001.001\", or \"2001:db8::1\" not \"2001:0db8::1\"). This excludes loopback, link-local, and multicast addresses.", "resources": "resources contains the status of pacemaker resources scheduled on this node. Each resource entry includes the resource name and its health conditions. For Two Node OpenShift with Fencing, we track Kubelet and Etcd resources per node. Both resources are required to be present, so the array must contain at least 2 items. Valid resource names are \"Kubelet\" and \"Etcd\". Fencing agents are tracked separately in the fencingAgents field.", - "fencingAgents": "fencingAgents contains the status of fencing agents that can fence this node. Unlike resources (which are scheduled to run on this node), fencing agents are mapped to the node they can fence (their target), not the node where monitoring operations run. Each fencing agent entry includes a unique name, fencing type, target node, and health conditions. A node is considered fence-capable if at least one fencing agent is healthy. Expected to have 1 fencing agent per node, but up to 8 are supported for redundancy. Names must be unique within this array.", + "fencingAgents": "fencingAgents contains the status of fencing agents that can fence this node. Unlike resources (which are scheduled to run on this node), fencing agents are mapped to the node they can fence (their target), not the node where monitoring operations run. Each fencing agent entry includes a unique name, fencing type, target node, and health conditions. A node is considered fence-capable if at least one fencing agent is healthy. A healthy node is expected to have at least 1 fencing agent, but the list may be empty when fencing agent discovery fails. Names must be unique within this array.", } func (PacemakerClusterNodeStatus) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md index 69bdc61b76..8112c57f72 100644 --- a/vendor/github.com/openshift/api/features.md +++ b/vendor/github.com/openshift/api/features.md @@ -9,6 +9,7 @@ | ClusterAPIComputeInstall| | | Enabled | Enabled | | | | | | ClusterAPIControlPlaneInstall| | | Enabled | Enabled | | | | | | ClusterUpdatePreflight| | | Enabled | Enabled | | | | | +| ConfidentialCluster| | | Enabled | Enabled | | | | | | Example2| | | Enabled | Enabled | | | | | | ExternalOIDCExternalClaimsSourcing| | | Enabled | Enabled | | | | | | ExternalSnapshotMetadata| | | Enabled | Enabled | | | | | @@ -22,6 +23,7 @@ | NewOLMPreflightPermissionChecks| | | | Enabled | | | | Enabled | | NoRegistryClusterInstall| | | | Enabled | | | | Enabled | | ProvisioningRequestAvailable| | | Enabled | Enabled | | | | | +| VSphereMultiVCenterDay2| | | Enabled | Enabled | | | | | | AWSClusterHostedDNS| | | Enabled | Enabled | | | Enabled | Enabled | | AWSClusterHostedDNSInstall| | | Enabled | Enabled | | | Enabled | Enabled | | AWSDedicatedHosts| | | Enabled | Enabled | | | Enabled | Enabled | @@ -29,7 +31,6 @@ | AWSEuropeanSovereignCloudInstall| | | Enabled | Enabled | | | Enabled | Enabled | | AdditionalStorageConfig| | | Enabled | Enabled | | | Enabled | Enabled | | AutomatedEtcdBackup| | | Enabled | Enabled | | | Enabled | Enabled | -| AzureClusterHostedDNSInstall| | | Enabled | Enabled | | | Enabled | Enabled | | AzureDedicatedHosts| | | Enabled | Enabled | | | Enabled | Enabled | | AzureDualStackInstall| | | Enabled | Enabled | | | Enabled | Enabled | | AzureMultiDisk| | | Enabled | Enabled | | | Enabled | Enabled | @@ -53,18 +54,14 @@ | ConfigurablePKI| | | Enabled | Enabled | | | Enabled | Enabled | | DNSNameResolver| | | Enabled | Enabled | | | Enabled | Enabled | | DRAPartitionableDevices| | | Enabled | Enabled | | | Enabled | Enabled | -| DualReplica| | | Enabled | Enabled | | | Enabled | Enabled | | DyanmicServiceEndpointIBMCloud| | | Enabled | Enabled | | | Enabled | Enabled | | EVPN| | | Enabled | Enabled | | | Enabled | Enabled | | EtcdBackendQuota| | | Enabled | Enabled | | | Enabled | Enabled | -| EventTTL| | | Enabled | Enabled | | | Enabled | Enabled | | Example| | | Enabled | Enabled | | | Enabled | Enabled | | ExternalOIDCWithUpstreamParity| | | Enabled | Enabled | | | Enabled | Enabled | -| GCPClusterHostedDNS| | | Enabled | Enabled | | | Enabled | Enabled | | GCPCustomAPIEndpoints| | | Enabled | Enabled | | | Enabled | Enabled | | GCPCustomAPIEndpointsInstall| | | Enabled | Enabled | | | Enabled | Enabled | | GCPDualStackInstall| | | Enabled | Enabled | | | Enabled | Enabled | -| GatewayAPIWithoutOLM| | | Enabled | Enabled | | | Enabled | Enabled | | HyperShiftOnlyDynamicResourceAllocation| Enabled | | Enabled | | Enabled | | Enabled | | | ImageModeStatusReporting| | | Enabled | Enabled | | | Enabled | Enabled | | IngressControllerDynamicConfigurationManager| | | Enabled | Enabled | | | Enabled | Enabled | @@ -89,17 +86,19 @@ | SignatureStores| | | Enabled | Enabled | | | Enabled | Enabled | | TLSAdherence| | | Enabled | Enabled | | | Enabled | Enabled | | VSphereConfigurableMaxAllowedBlockVolumesPerNode| | | Enabled | Enabled | | | Enabled | Enabled | -| VSphereHostVMGroupZonal| | | Enabled | Enabled | | | Enabled | Enabled | | VSphereMixedNodeEnv| | | Enabled | Enabled | | | Enabled | Enabled | | VolumeGroupSnapshot| | | Enabled | Enabled | | | Enabled | Enabled | | AWSServiceLBNetworkSecurityGroup| | Enabled | Enabled | Enabled | | Enabled | Enabled | Enabled | +| AzureClusterHostedDNSInstall| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | AzureWorkloadIdentity| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | BootImageSkewEnforcement| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | BuildCSIVolumes| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ConsolePluginContentSecurityPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| DualReplica| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| EventTTL| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ExternalOIDC| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ExternalOIDCWithUIDAndExtraClaimMappings| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| GCPClusterHostedDNSInstall| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| GatewayAPIWithoutOLM| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ImageStreamImportMode| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | InsightsConfig| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | InsightsOnDemandDataGather| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | @@ -116,5 +115,6 @@ | UpgradeStatus| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | UserNamespacesPodSecurityStandards| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | UserNamespacesSupport| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| VSphereHostVMGroupZonal| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | VSphereMultiDisk| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | VSphereMultiNetworks| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index 6715d9e8ad..5d148165cc 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -175,7 +175,7 @@ var ( contactPerson("jcpowermac"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1677"). - enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). + enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). mustRegister() FeatureGateVSphereMultiDisk = newFeatureGate("VSphereMultiDisk"). @@ -203,12 +203,12 @@ var ( mustRegister() FeatureGateNoOverlayMode = newFeatureGate("NoOverlayMode"). - reportProblemsToJiraComponent("Networking/ovn-kubernetes"). - contactPerson("pliurh"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1859"). - enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()). - mustRegister() + reportProblemsToJiraComponent("Networking/ovn-kubernetes"). + contactPerson("pliurh"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1859"). + enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()). + mustRegister() FeatureGateEVPN = newFeatureGate("EVPN"). reportProblemsToJiraComponent("Networking/ovn-kubernetes"). @@ -272,14 +272,6 @@ var ( enhancementPR(legacyFeatureGateWithoutEnhancement). mustRegister() - FeatureGateGCPClusterHostedDNS = newFeatureGate("GCPClusterHostedDNS"). - reportProblemsToJiraComponent("Installer"). - contactPerson("barbacbd"). - productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). - mustRegister() - FeatureGateAWSClusterHostedDNS = newFeatureGate("AWSClusterHostedDNS"). reportProblemsToJiraComponent("Installer"). contactPerson("barbacbd"). @@ -293,7 +285,7 @@ var ( contactPerson("sadasu"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1468"). - enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). + enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). mustRegister() FeatureGateMixedCPUsAllocation = newFeatureGate("MixedCPUsAllocation"). @@ -750,7 +742,7 @@ var ( contactPerson("jaypoulz"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1675"). - enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). + enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). mustRegister() FeatureShortCertRotation = newFeatureGate("ShortCertRotation"). @@ -808,6 +800,14 @@ var ( enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). mustRegister() + FeatureGateVSphereMultiVCenterDay2 = newFeatureGate("VSphereMultiVCenterDay2"). + reportProblemsToJiraComponent("splat"). + contactPerson("vr4manta"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1961"). + enable(inDevPreviewNoUpgrade()). + mustRegister() + FeatureGateAWSServiceLBNetworkSecurityGroup = newFeatureGate("AWSServiceLBNetworkSecurityGroup"). reportProblemsToJiraComponent("Cloud Compute / Cloud Controller Manager"). contactPerson("mtulio"). @@ -825,14 +825,6 @@ var ( enable(inClusterProfile(SelfManaged), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). mustRegister() - FeatureGateGCPClusterHostedDNSInstall = newFeatureGate("GCPClusterHostedDNSInstall"). - reportProblemsToJiraComponent("Installer"). - contactPerson("barbacbd"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1468"). - enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). - mustRegister() - FeatureGateAWSClusterHostedDNSInstall = newFeatureGate("AWSClusterHostedDNSInstall"). reportProblemsToJiraComponent("Installer"). contactPerson("barbacbd"). @@ -908,7 +900,7 @@ var ( contactPerson("tjungblu"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1857"). - enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). + enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). mustRegister() FeatureGateMutableCSINodeAllocatableCount = newFeatureGate("MutableCSINodeAllocatableCount"). @@ -1002,7 +994,7 @@ var ( contactPerson("miciah"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1933"). - enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()). + enable(inDefault(), inOKD(), inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()). mustRegister() FeatureGateTLSAdherence = newFeatureGate("TLSAdherence"). @@ -1012,4 +1004,12 @@ var ( enhancementPR("https://github.com/openshift/enhancements/pull/1910"). enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()). mustRegister() + + FeatureGateConfidentialCluster = newFeatureGate("ConfidentialCluster"). + reportProblemsToJiraComponent("ConfidentialClusters"). + contactPerson("fjin"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1962"). + enable(inDevPreviewNoUpgrade()). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/types.go b/vendor/github.com/openshift/api/machineconfiguration/v1/types.go index 713a4a944c..21615ee9aa 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/types.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/types.go @@ -732,27 +732,40 @@ type KubeletConfig struct { Status KubeletConfigStatus `json:"status"` } -// KubeletConfigSpec defines the desired state of KubeletConfig +// KubeletConfigSpec configures the kubelet running on cluster nodes. type KubeletConfigSpec struct { + // autoSizingReserved controls whether system-reserved CPU and memory are automatically + // calculated based on each node's installed capacity. When set to true, this prevents node failure + // from resource starvation of system components (kubelet, CRI-O) without manual configuration. + // When omitted, this means the user has no opinion and the platform is left to choose a reasonable default, + // which is subject to change over time. The current default is true for worker nodes and false for control plane nodes. + // When set to false, automatic resource reservation is disabled and manual settings must be configured. // +optional AutoSizingReserved *bool `json:"autoSizingReserved,omitempty"` + // logLevel sets the kubelet log verbosity, controlling the amount of detail in kubelet logs. + // Valid values range from 0 (minimal logging) to 10 (maximum verbosity with trace-level detail). + // Higher log levels may impact node performance. When omitted, the platform chooses a reasonable default, + // which is subject to change over time. The current default is 2 (standard informational logging). + // +kubebuilder:validation:Minimum=0 + // +kubebuilder:validation:Maximum=10 // +optional LogLevel *int32 `json:"logLevel,omitempty"` - // machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to. - // A nil selector will result in no pools being selected. + // machineConfigPoolSelector selects which pools the KubeletConfig should apply to. + // When omitted or set to an empty selector {}, no pools are selected, which is equivalent + // to not matching any MachineConfigPool. // +optional MachineConfigPoolSelector *metav1.LabelSelector `json:"machineConfigPoolSelector,omitempty"` - // kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by - // OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from - // upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes - // for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable. + // kubeletConfig contains upstream Kubernetes kubelet configuration fields. + // Values are validated by the kubelet itself. Invalid values may render nodes unusable. + // Refer to OpenShift documentation for the Kubernetes version corresponding to your + // OpenShift release to find valid kubelet configuration options. // +optional KubeletConfig *runtime.RawExtension `json:"kubeletConfig,omitempty"` - // If unset, the default is based on the apiservers.config.openshift.io/cluster resource. - // Note that only Old and Intermediate profiles are currently supported, and - // the maximum available minTLSVersion is VersionTLS12. + // tlsSecurityProfile configures TLS settings for the kubelet. + // When omitted, the TLS configuration defaults to the value from apiservers.config.openshift.io/cluster. + // When specified, the type field can be set to either "Old", "Intermediate", "Modern", "Custom" or omitted for backward compatibility. // +optional TLSSecurityProfile *configv1.TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"` } diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml index e1d9a8a608..3461daae47 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml @@ -128,8 +128,16 @@ spec: privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing operations on the cluster's private hosted zone specified in the cluster DNS config. When left empty, no role should be assumed. - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ + + The ARN must follow the format: arn::iam:::role/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc), + is a 12-digit numeric identifier for the AWS account, + is the IAM role name. type: string + x-kubernetes-validations: + - message: 'privateZoneIAMRole must be a valid AWS + IAM role ARN in the format: arn::iam:::role/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$') type: object type: description: |- diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml index ce1f3424e8..df2f24ce08 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml @@ -128,8 +128,16 @@ spec: privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing operations on the cluster's private hosted zone specified in the cluster DNS config. When left empty, no role should be assumed. - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ + + The ARN must follow the format: arn::iam:::role/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc), + is a 12-digit numeric identifier for the AWS account, + is the IAM role name. type: string + x-kubernetes-validations: + - message: 'privateZoneIAMRole must be a valid AWS + IAM role ARN in the format: arn::iam:::role/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$') type: object type: description: |- @@ -1111,6 +1119,19 @@ spec: - topology - zone type: object + x-kubernetes-validations: + - message: when zoneAffinity type is HostGroup, + regionAffinity type must be ComputeCluster + rule: 'has(self.zoneAffinity) && self.zoneAffinity.type + == ''HostGroup'' ? has(self.regionAffinity) + && self.regionAffinity.type == ''ComputeCluster'' + : true' + - message: when zoneAffinity type is ComputeCluster, + regionAffinity type must be Datacenter + rule: 'has(self.zoneAffinity) && self.zoneAffinity.type + == ''ComputeCluster'' ? has(self.regionAffinity) + && self.regionAffinity.type == ''Datacenter'' + : true' type: array x-kubernetes-list-map-keys: - name @@ -1337,6 +1358,7 @@ spec: - HighlyAvailable - HighlyAvailableArbiter - SingleReplica + - DualReplica - External type: string cpuPartitioning: @@ -1544,6 +1566,109 @@ spec: resource management in non-soverign clouds such as Azure Stack. type: string + cloudLoadBalancerConfig: + default: + dnsType: PlatformDefault + description: |- + cloudLoadBalancerConfig holds configuration related to DNS and cloud + load balancers. It allows configuration of in-cluster DNS as an alternative + to the platform default DNS implementation. + When using the ClusterHosted DNS type, Load Balancer IP addresses + must be provided for the API and internal API load balancers as well as the + ingress load balancer. + properties: + clusterHosted: + description: |- + clusterHosted holds the IP addresses of API, API-Int and Ingress Load + Balancers on Cloud Platforms. The DNS solution hosted within the cluster + use these IP addresses to provide resolution for API, API-Int and Ingress + services. + properties: + apiIntLoadBalancerIPs: + description: |- + apiIntLoadBalancerIPs holds Load Balancer IPs for the internal API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the apiIntLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, + "10.0.0.0" or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + apiLoadBalancerIPs: + description: |- + apiLoadBalancerIPs holds Load Balancer IPs for the API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Could be empty for private clusters. + Entries in the apiLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, + "10.0.0.0" or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + ingressLoadBalancerIPs: + description: |- + ingressLoadBalancerIPs holds IPs for Ingress Load Balancers. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the ingressLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, + "10.0.0.0" or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + type: object + dnsType: + default: PlatformDefault + description: |- + dnsType indicates the type of DNS solution in use within the cluster. Its default value of + `PlatformDefault` indicates that the cluster's DNS is the default provided by the cloud platform. + It can be set to `ClusterHosted` to bypass the configuration of the cloud default DNS. In this mode, + the cluster needs to provide a self-hosted DNS solution for the cluster's installation to succeed. + The cluster's use of the cloud's Load Balancers is unaffected by this setting. + The value is immutable after it has been set at install time. + Currently, there is no way for the customer to add additional DNS entries into the cluster hosted DNS. + Enabling this functionality allows the user to start their own DNS solution outside the cluster after + installation is complete. The customer would be responsible for configuring this custom DNS solution, + and it can be run in addition to the in-cluster DNS solution. + enum: + - ClusterHosted + - PlatformDefault + type: string + x-kubernetes-validations: + - message: dnsType is immutable + rule: oldSelf == '' || self == oldSelf + type: object + x-kubernetes-validations: + - message: clusterHosted is permitted only when dnsType + is ClusterHosted + rule: 'has(self.dnsType) && self.dnsType != ''ClusterHosted'' + ? !has(self.clusterHosted) : true' cloudName: description: |- cloudName is the name of the Azure cloud environment which can be used to configure the Azure SDK diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml index 64c29db537..0ae7a36d13 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml @@ -128,8 +128,16 @@ spec: privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing operations on the cluster's private hosted zone specified in the cluster DNS config. When left empty, no role should be assumed. - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ + + The ARN must follow the format: arn::iam:::role/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc), + is a 12-digit numeric identifier for the AWS account, + is the IAM role name. type: string + x-kubernetes-validations: + - message: 'privateZoneIAMRole must be a valid AWS + IAM role ARN in the format: arn::iam:::role/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$') type: object type: description: |- diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml index 5871667293..e4bef30eb6 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml @@ -128,8 +128,16 @@ spec: privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing operations on the cluster's private hosted zone specified in the cluster DNS config. When left empty, no role should be assumed. - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ + + The ARN must follow the format: arn::iam:::role/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc), + is a 12-digit numeric identifier for the AWS account, + is the IAM role name. type: string + x-kubernetes-validations: + - message: 'privateZoneIAMRole must be a valid AWS + IAM role ARN in the format: arn::iam:::role/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$') type: object type: description: |- @@ -1111,6 +1119,19 @@ spec: - topology - zone type: object + x-kubernetes-validations: + - message: when zoneAffinity type is HostGroup, + regionAffinity type must be ComputeCluster + rule: 'has(self.zoneAffinity) && self.zoneAffinity.type + == ''HostGroup'' ? has(self.regionAffinity) + && self.regionAffinity.type == ''ComputeCluster'' + : true' + - message: when zoneAffinity type is ComputeCluster, + regionAffinity type must be Datacenter + rule: 'has(self.zoneAffinity) && self.zoneAffinity.type + == ''ComputeCluster'' ? has(self.regionAffinity) + && self.regionAffinity.type == ''Datacenter'' + : true' type: array x-kubernetes-list-map-keys: - name @@ -1337,6 +1358,7 @@ spec: - HighlyAvailable - HighlyAvailableArbiter - SingleReplica + - DualReplica - External type: string cpuPartitioning: @@ -1544,6 +1566,109 @@ spec: resource management in non-soverign clouds such as Azure Stack. type: string + cloudLoadBalancerConfig: + default: + dnsType: PlatformDefault + description: |- + cloudLoadBalancerConfig holds configuration related to DNS and cloud + load balancers. It allows configuration of in-cluster DNS as an alternative + to the platform default DNS implementation. + When using the ClusterHosted DNS type, Load Balancer IP addresses + must be provided for the API and internal API load balancers as well as the + ingress load balancer. + properties: + clusterHosted: + description: |- + clusterHosted holds the IP addresses of API, API-Int and Ingress Load + Balancers on Cloud Platforms. The DNS solution hosted within the cluster + use these IP addresses to provide resolution for API, API-Int and Ingress + services. + properties: + apiIntLoadBalancerIPs: + description: |- + apiIntLoadBalancerIPs holds Load Balancer IPs for the internal API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the apiIntLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, + "10.0.0.0" or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + apiLoadBalancerIPs: + description: |- + apiLoadBalancerIPs holds Load Balancer IPs for the API service. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Could be empty for private clusters. + Entries in the apiLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, + "10.0.0.0" or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + ingressLoadBalancerIPs: + description: |- + ingressLoadBalancerIPs holds IPs for Ingress Load Balancers. + These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses. + Entries in the ingressLoadBalancerIPs must be unique. + A maximum of 16 IP addresses are permitted. + format: ip + items: + description: IP is an IP address (for example, + "10.0.0.0" or "fd00::"). + maxLength: 39 + minLength: 1 + type: string + x-kubernetes-validations: + - message: value must be a valid IP address + rule: isIP(self) + maxItems: 16 + type: array + x-kubernetes-list-type: set + type: object + dnsType: + default: PlatformDefault + description: |- + dnsType indicates the type of DNS solution in use within the cluster. Its default value of + `PlatformDefault` indicates that the cluster's DNS is the default provided by the cloud platform. + It can be set to `ClusterHosted` to bypass the configuration of the cloud default DNS. In this mode, + the cluster needs to provide a self-hosted DNS solution for the cluster's installation to succeed. + The cluster's use of the cloud's Load Balancers is unaffected by this setting. + The value is immutable after it has been set at install time. + Currently, there is no way for the customer to add additional DNS entries into the cluster hosted DNS. + Enabling this functionality allows the user to start their own DNS solution outside the cluster after + installation is complete. The customer would be responsible for configuring this custom DNS solution, + and it can be run in addition to the in-cluster DNS solution. + enum: + - ClusterHosted + - PlatformDefault + type: string + x-kubernetes-validations: + - message: dnsType is immutable + rule: oldSelf == '' || self == oldSelf + type: object + x-kubernetes-validations: + - message: clusterHosted is permitted only when dnsType + is ClusterHosted + rule: 'has(self.dnsType) && self.dnsType != ''ClusterHosted'' + ? !has(self.clusterHosted) : true' cloudName: description: |- cloudName is the name of the Azure cloud environment which can be used to configure the Azure SDK diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml index ffc07a12c2..99cb62c603 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml @@ -128,8 +128,16 @@ spec: privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing operations on the cluster's private hosted zone specified in the cluster DNS config. When left empty, no role should be assumed. - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ + + The ARN must follow the format: arn::iam:::role/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc), + is a 12-digit numeric identifier for the AWS account, + is the IAM role name. type: string + x-kubernetes-validations: + - message: 'privateZoneIAMRole must be a valid AWS + IAM role ARN in the format: arn::iam:::role/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$') type: object type: description: |- diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml index ceaa0024ac..4be92099f4 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml @@ -47,22 +47,37 @@ spec: description: spec contains the desired kubelet configuration. properties: autoSizingReserved: + description: |- + autoSizingReserved controls whether system-reserved CPU and memory are automatically + calculated based on each node's installed capacity. When set to true, this prevents node failure + from resource starvation of system components (kubelet, CRI-O) without manual configuration. + When omitted, this means the user has no opinion and the platform is left to choose a reasonable default, + which is subject to change over time. The current default is true for worker nodes and false for control plane nodes. + When set to false, automatic resource reservation is disabled and manual settings must be configured. type: boolean kubeletConfig: description: |- - kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by - OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from - upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes - for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable. + kubeletConfig contains upstream Kubernetes kubelet configuration fields. + Values are validated by the kubelet itself. Invalid values may render nodes unusable. + Refer to OpenShift documentation for the Kubernetes version corresponding to your + OpenShift release to find valid kubelet configuration options. type: object x-kubernetes-preserve-unknown-fields: true logLevel: + description: |- + logLevel sets the kubelet log verbosity, controlling the amount of detail in kubelet logs. + Valid values range from 0 (minimal logging) to 10 (maximum verbosity with trace-level detail). + Higher log levels may impact node performance. When omitted, the platform chooses a reasonable default, + which is subject to change over time. The current default is 2 (standard informational logging). format: int32 + maximum: 10 + minimum: 0 type: integer machineConfigPoolSelector: description: |- - machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to. - A nil selector will result in no pools being selected. + machineConfigPoolSelector selects which pools the KubeletConfig should apply to. + When omitted or set to an empty selector {}, no pools are selected, which is equivalent + to not matching any MachineConfigPool. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. @@ -109,9 +124,9 @@ spec: x-kubernetes-map-type: atomic tlsSecurityProfile: description: |- - If unset, the default is based on the apiservers.config.openshift.io/cluster resource. - Note that only Old and Intermediate profiles are currently supported, and - the maximum available minTLSVersion is VersionTLS12. + tlsSecurityProfile configures TLS settings for the kubelet. + When omitted, the TLS configuration defaults to the value from apiservers.config.openshift.io/cluster. + When specified, the type field can be set to either "Old", "Intermediate", "Modern", "Custom" or omitted for backward compatibility. properties: custom: description: |- diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml index e23a4d6005..4e3d955856 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml @@ -31,11 +31,11 @@ controllerconfigs.machineconfiguration.openshift.io: FeatureGates: - AWSClusterHostedDNSInstall - AWSDualStackInstall + - AWSEuropeanSovereignCloudInstall - AzureClusterHostedDNSInstall - AzureDualStackInstall - DualReplica - DyanmicServiceEndpointIBMCloud - - GCPClusterHostedDNSInstall - NutanixMultiSubnets - OnPremDNSRecords - VSphereHostVMGroupZonal diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go index 008e48c9f9..c286d4e275 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go @@ -244,10 +244,12 @@ func (KubeletConfigList) SwaggerDoc() map[string]string { } var map_KubeletConfigSpec = map[string]string{ - "": "KubeletConfigSpec defines the desired state of KubeletConfig", - "machineConfigPoolSelector": "machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to. A nil selector will result in no pools being selected.", - "kubeletConfig": "kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable.", - "tlsSecurityProfile": "If unset, the default is based on the apiservers.config.openshift.io/cluster resource. Note that only Old and Intermediate profiles are currently supported, and the maximum available minTLSVersion is VersionTLS12.", + "": "KubeletConfigSpec configures the kubelet running on cluster nodes.", + "autoSizingReserved": "autoSizingReserved controls whether system-reserved CPU and memory are automatically calculated based on each node's installed capacity. When set to true, this prevents node failure from resource starvation of system components (kubelet, CRI-O) without manual configuration. When omitted, this means the user has no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is true for worker nodes and false for control plane nodes. When set to false, automatic resource reservation is disabled and manual settings must be configured.", + "logLevel": "logLevel sets the kubelet log verbosity, controlling the amount of detail in kubelet logs. Valid values range from 0 (minimal logging) to 10 (maximum verbosity with trace-level detail). Higher log levels may impact node performance. When omitted, the platform chooses a reasonable default, which is subject to change over time. The current default is 2 (standard informational logging).", + "machineConfigPoolSelector": "machineConfigPoolSelector selects which pools the KubeletConfig should apply to. When omitted or set to an empty selector {}, no pools are selected, which is equivalent to not matching any MachineConfigPool.", + "kubeletConfig": "kubeletConfig contains upstream Kubernetes kubelet configuration fields. Values are validated by the kubelet itself. Invalid values may render nodes unusable. Refer to OpenShift documentation for the Kubernetes version corresponding to your OpenShift release to find valid kubelet configuration options.", + "tlsSecurityProfile": "tlsSecurityProfile configures TLS settings for the kubelet. When omitted, the TLS configuration defaults to the value from apiservers.config.openshift.io/cluster. When specified, the type field can be set to either \"Old\", \"Intermediate\", \"Modern\", \"Custom\" or omitted for backward compatibility.", } func (KubeletConfigSpec) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go b/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go index 53c71aabb6..52f5db78d5 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go +++ b/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go @@ -163,7 +163,15 @@ type AWSCSIDriverConfigSpec struct { // kmsKeyARN sets the cluster default storage class to encrypt volumes with a user-defined KMS key, // rather than the default KMS key used by AWS. // The value may be either the ARN or Alias ARN of a KMS key. - // +kubebuilder:validation:Pattern:=`^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)\/.*$` + // + // The ARN must follow the format: arn::kms:::(key|alias)/, where: + // is the AWS partition (aws, aws-cn, aws-us-gov, aws-iso, aws-iso-b, aws-iso-e, aws-iso-f, or aws-eusc), + // is the AWS region, + // is a 12-digit numeric identifier for the AWS account, + // is the KMS key ID or alias name. + // + // +openshift:validation:FeatureGateAwareXValidation:featureGate="",rule=`matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)/.*$')`,message=`kmsKeyARN must be a valid AWS KMS key ARN in the format: arn::kms:::(key|alias)/` + // +openshift:validation:FeatureGateAwareXValidation:featureGate=AWSEuropeanSovereignCloudInstall,rule=`matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)/.*$')`,message=`kmsKeyARN must be a valid AWS KMS key ARN in the format: arn::kms:::(key|alias)/` // +optional KMSKeyARN string `json:"kmsKeyARN,omitempty"` diff --git a/vendor/github.com/openshift/api/operator/v1/types_ingress.go b/vendor/github.com/openshift/api/operator/v1/types_ingress.go index d54352f2ce..0c5cf919e1 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_ingress.go +++ b/vendor/github.com/openshift/api/operator/v1/types_ingress.go @@ -2068,8 +2068,51 @@ type IngressControllerTuningOptions struct { // +kubebuilder:validation:Type:=string // +optional ReloadInterval metav1.Duration `json:"reloadInterval,omitempty"` + + // configurationManagement specifies how OpenShift router should update + // the HAProxy configuration. The following values are valid for this + // field: + // + // * "ForkAndReload". + // * "Dynamic". + // + // Omitting this field means that the user has no opinion and the + // platform may choose a reasonable default. This default is subject to + // change over time. The current default is "ForkAndReload". + // + // "ForkAndReload" means that OpenShift router should rewrite the + // HAProxy configuration file and instruct HAProxy to fork and reload. + // This is OpenShift router's traditional approach. + // + // "Dynamic" means that OpenShift router may use HAProxy's control + // socket for some configuration updates and fall back to fork and + // reload for other configuration updates. This is a newer approach, + // which may be less mature than ForkAndReload. This setting can + // improve load-balancing fairness and metrics accuracy and reduce CPU + // and memory usage if HAProxy has frequent configuration updates for + // route and endpoints updates. + // + // Note: The "Dynamic" option is currently experimental and should not + // be enabled on production clusters. + // + // +openshift:enable:FeatureGate=IngressControllerDynamicConfigurationManager + // +optional + ConfigurationManagement IngressControllerConfigurationManagement `json:"configurationManagement,omitempty"` } +// IngressControllerConfigurationManagement specifies whether always to use +// fork-and-reload to update the HAProxy configuration or whether to use +// HAProxy's control socket for some configuration updates. +// +// +enum +// +kubebuilder:validation:Enum=Dynamic;ForkAndReload +type IngressControllerConfigurationManagement string + +const ( + IngressControllerConfigurationManagementDynamic IngressControllerConfigurationManagement = "Dynamic" + IngressControllerConfigurationManagementForkAndReload IngressControllerConfigurationManagement = "ForkAndReload" +) + // HTTPEmptyRequestsPolicy indicates how HTTP connections for which no request // is received should be handled. // +kubebuilder:validation:Enum=Respond;Ignore diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml deleted file mode 100644 index 3e7c51dc6f..0000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml +++ /dev/null @@ -1,335 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: Default - name: kubeapiservers.operator.openshift.io -spec: - group: operator.openshift.io - names: - categories: - - coreoperators - kind: KubeAPIServer - listKind: KubeAPIServerList - plural: kubeapiservers - singular: kubeapiserver - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - KubeAPIServer provides information to configure an operator to manage kube-apiserver. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is the specification of the desired behavior of the - Kubernetes API Server - properties: - failedRevisionLimit: - description: |- - failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - forceRedeploymentReason: - description: |- - forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. - This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work - this time instead of failing again on the same config. - type: string - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Force)$ - type: string - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - succeededRevisionLimit: - description: |- - succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - status: - description: status is the most recently observed status of the Kubernetes - API Server - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - latestAvailableRevisionReason: - description: latestAvailableRevisionReason describe the detailed reason - for the most recent deployment - type: string - nodeStatuses: - description: nodeStatuses track the deployment values and errors across - individual nodes - items: - description: NodeStatus provides information about the current state - of a particular node managed by this operator. - properties: - currentRevision: - description: |- - currentRevision is the generation of the most recently successful deployment. - Can not be set on creation of a nodeStatus. Updates must only increase the value. - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - lastFailedCount: - description: lastFailedCount is how often the installer pod - of the last failed revision failed. - type: integer - lastFailedReason: - description: lastFailedReason is a machine readable failure - reason string. - type: string - lastFailedRevision: - description: lastFailedRevision is the generation of the deployment - we tried and failed to deploy. - format: int32 - type: integer - lastFailedRevisionErrors: - description: lastFailedRevisionErrors is a list of human readable - errors during the failed deployment referenced in lastFailedRevision. - items: - type: string - type: array - x-kubernetes-list-type: atomic - lastFailedTime: - description: lastFailedTime is the time the last failed revision - failed the last time. - format: date-time - type: string - lastFallbackCount: - description: lastFallbackCount is how often a fallback to a - previous revision happened. - type: integer - nodeName: - description: nodeName is the name of the node - type: string - targetRevision: - description: |- - targetRevision is the generation of the deployment we're trying to apply. - Can not be set on creation of a nodeStatus. - format: int32 - type: integer - required: - - nodeName - type: object - x-kubernetes-validations: - - fieldPath: .currentRevision - message: cannot be unset once set - rule: has(self.currentRevision) || !has(oldSelf.currentRevision) - - fieldPath: .currentRevision - message: currentRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.currentRevision) - - fieldPath: .targetRevision - message: targetRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.targetRevision) - type: array - x-kubernetes-list-map-keys: - - nodeName - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: no more than 1 node status may have a nonzero targetRevision - rule: size(self.filter(status, status.?targetRevision.orValue(0) - != 0)) <= 1 - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - serviceAccountIssuers: - description: |- - serviceAccountIssuers tracks history of used service account issuers. - The item without expiration time represents the currently used service account issuer. - The other items represents service account issuers that were used previously and are still being trusted. - The default expiration for the items is set by the platform and it defaults to 24h. - see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection - items: - properties: - expirationTime: - description: |- - expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list - of service account issuers. - format: date-time - type: string - name: - description: name is the name of the service account issuer - type: string - type: object - type: array - x-kubernetes-list-type: atomic - version: - description: version is the level this availability applies to - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index b0d11038de..0000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,349 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - name: kubeapiservers.operator.openshift.io -spec: - group: operator.openshift.io - names: - categories: - - coreoperators - kind: KubeAPIServer - listKind: KubeAPIServerList - plural: kubeapiservers - singular: kubeapiserver - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - KubeAPIServer provides information to configure an operator to manage kube-apiserver. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is the specification of the desired behavior of the - Kubernetes API Server - properties: - eventTTLMinutes: - description: |- - eventTTLMinutes specifies the amount of time that the events are stored before being deleted. - The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). - - Lowering this value will reduce the storage required in etcd. Note that this setting will only apply - to new events being created and will not update existing events. - - When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. - The current default value is 3h (180 minutes). - format: int32 - maximum: 180 - minimum: 5 - type: integer - failedRevisionLimit: - description: |- - failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - forceRedeploymentReason: - description: |- - forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. - This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work - this time instead of failing again on the same config. - type: string - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Force)$ - type: string - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - succeededRevisionLimit: - description: |- - succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - status: - description: status is the most recently observed status of the Kubernetes - API Server - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - latestAvailableRevisionReason: - description: latestAvailableRevisionReason describe the detailed reason - for the most recent deployment - type: string - nodeStatuses: - description: nodeStatuses track the deployment values and errors across - individual nodes - items: - description: NodeStatus provides information about the current state - of a particular node managed by this operator. - properties: - currentRevision: - description: |- - currentRevision is the generation of the most recently successful deployment. - Can not be set on creation of a nodeStatus. Updates must only increase the value. - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - lastFailedCount: - description: lastFailedCount is how often the installer pod - of the last failed revision failed. - type: integer - lastFailedReason: - description: lastFailedReason is a machine readable failure - reason string. - type: string - lastFailedRevision: - description: lastFailedRevision is the generation of the deployment - we tried and failed to deploy. - format: int32 - type: integer - lastFailedRevisionErrors: - description: lastFailedRevisionErrors is a list of human readable - errors during the failed deployment referenced in lastFailedRevision. - items: - type: string - type: array - x-kubernetes-list-type: atomic - lastFailedTime: - description: lastFailedTime is the time the last failed revision - failed the last time. - format: date-time - type: string - lastFallbackCount: - description: lastFallbackCount is how often a fallback to a - previous revision happened. - type: integer - nodeName: - description: nodeName is the name of the node - type: string - targetRevision: - description: |- - targetRevision is the generation of the deployment we're trying to apply. - Can not be set on creation of a nodeStatus. - format: int32 - type: integer - required: - - nodeName - type: object - x-kubernetes-validations: - - fieldPath: .currentRevision - message: cannot be unset once set - rule: has(self.currentRevision) || !has(oldSelf.currentRevision) - - fieldPath: .currentRevision - message: currentRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.currentRevision) - - fieldPath: .targetRevision - message: targetRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.targetRevision) - type: array - x-kubernetes-list-map-keys: - - nodeName - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: no more than 1 node status may have a nonzero targetRevision - rule: size(self.filter(status, status.?targetRevision.orValue(0) - != 0)) <= 1 - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - serviceAccountIssuers: - description: |- - serviceAccountIssuers tracks history of used service account issuers. - The item without expiration time represents the currently used service account issuer. - The other items represents service account issuers that were used previously and are still being trusted. - The default expiration for the items is set by the platform and it defaults to 24h. - see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection - items: - properties: - expirationTime: - description: |- - expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list - of service account issuers. - format: date-time - type: string - name: - description: name is the name of the service account issuer - type: string - type: object - type: array - x-kubernetes-list-type: atomic - version: - description: version is the level this availability applies to - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml deleted file mode 100644 index ac96531975..0000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml +++ /dev/null @@ -1,335 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: OKD - name: kubeapiservers.operator.openshift.io -spec: - group: operator.openshift.io - names: - categories: - - coreoperators - kind: KubeAPIServer - listKind: KubeAPIServerList - plural: kubeapiservers - singular: kubeapiserver - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - KubeAPIServer provides information to configure an operator to manage kube-apiserver. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is the specification of the desired behavior of the - Kubernetes API Server - properties: - failedRevisionLimit: - description: |- - failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - forceRedeploymentReason: - description: |- - forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. - This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work - this time instead of failing again on the same config. - type: string - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Force)$ - type: string - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - succeededRevisionLimit: - description: |- - succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - status: - description: status is the most recently observed status of the Kubernetes - API Server - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - latestAvailableRevisionReason: - description: latestAvailableRevisionReason describe the detailed reason - for the most recent deployment - type: string - nodeStatuses: - description: nodeStatuses track the deployment values and errors across - individual nodes - items: - description: NodeStatus provides information about the current state - of a particular node managed by this operator. - properties: - currentRevision: - description: |- - currentRevision is the generation of the most recently successful deployment. - Can not be set on creation of a nodeStatus. Updates must only increase the value. - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - lastFailedCount: - description: lastFailedCount is how often the installer pod - of the last failed revision failed. - type: integer - lastFailedReason: - description: lastFailedReason is a machine readable failure - reason string. - type: string - lastFailedRevision: - description: lastFailedRevision is the generation of the deployment - we tried and failed to deploy. - format: int32 - type: integer - lastFailedRevisionErrors: - description: lastFailedRevisionErrors is a list of human readable - errors during the failed deployment referenced in lastFailedRevision. - items: - type: string - type: array - x-kubernetes-list-type: atomic - lastFailedTime: - description: lastFailedTime is the time the last failed revision - failed the last time. - format: date-time - type: string - lastFallbackCount: - description: lastFallbackCount is how often a fallback to a - previous revision happened. - type: integer - nodeName: - description: nodeName is the name of the node - type: string - targetRevision: - description: |- - targetRevision is the generation of the deployment we're trying to apply. - Can not be set on creation of a nodeStatus. - format: int32 - type: integer - required: - - nodeName - type: object - x-kubernetes-validations: - - fieldPath: .currentRevision - message: cannot be unset once set - rule: has(self.currentRevision) || !has(oldSelf.currentRevision) - - fieldPath: .currentRevision - message: currentRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.currentRevision) - - fieldPath: .targetRevision - message: targetRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.targetRevision) - type: array - x-kubernetes-list-map-keys: - - nodeName - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: no more than 1 node status may have a nonzero targetRevision - rule: size(self.filter(status, status.?targetRevision.orValue(0) - != 0)) <= 1 - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - serviceAccountIssuers: - description: |- - serviceAccountIssuers tracks history of used service account issuers. - The item without expiration time represents the currently used service account issuer. - The other items represents service account issuers that were used previously and are still being trusted. - The default expiration for the items is set by the platform and it defaults to 24h. - see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection - items: - properties: - expirationTime: - description: |- - expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list - of service account issuers. - format: date-time - type: string - name: - description: name is the name of the service account issuer - type: string - type: object - type: array - x-kubernetes-list-type: atomic - version: - description: version is the level this availability applies to - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 48d0d6a709..0000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,349 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: kubeapiservers.operator.openshift.io -spec: - group: operator.openshift.io - names: - categories: - - coreoperators - kind: KubeAPIServer - listKind: KubeAPIServerList - plural: kubeapiservers - singular: kubeapiserver - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - KubeAPIServer provides information to configure an operator to manage kube-apiserver. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is the specification of the desired behavior of the - Kubernetes API Server - properties: - eventTTLMinutes: - description: |- - eventTTLMinutes specifies the amount of time that the events are stored before being deleted. - The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). - - Lowering this value will reduce the storage required in etcd. Note that this setting will only apply - to new events being created and will not update existing events. - - When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. - The current default value is 3h (180 minutes). - format: int32 - maximum: 180 - minimum: 5 - type: integer - failedRevisionLimit: - description: |- - failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - forceRedeploymentReason: - description: |- - forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. - This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work - this time instead of failing again on the same config. - type: string - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Force)$ - type: string - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - succeededRevisionLimit: - description: |- - succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - status: - description: status is the most recently observed status of the Kubernetes - API Server - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - latestAvailableRevisionReason: - description: latestAvailableRevisionReason describe the detailed reason - for the most recent deployment - type: string - nodeStatuses: - description: nodeStatuses track the deployment values and errors across - individual nodes - items: - description: NodeStatus provides information about the current state - of a particular node managed by this operator. - properties: - currentRevision: - description: |- - currentRevision is the generation of the most recently successful deployment. - Can not be set on creation of a nodeStatus. Updates must only increase the value. - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - lastFailedCount: - description: lastFailedCount is how often the installer pod - of the last failed revision failed. - type: integer - lastFailedReason: - description: lastFailedReason is a machine readable failure - reason string. - type: string - lastFailedRevision: - description: lastFailedRevision is the generation of the deployment - we tried and failed to deploy. - format: int32 - type: integer - lastFailedRevisionErrors: - description: lastFailedRevisionErrors is a list of human readable - errors during the failed deployment referenced in lastFailedRevision. - items: - type: string - type: array - x-kubernetes-list-type: atomic - lastFailedTime: - description: lastFailedTime is the time the last failed revision - failed the last time. - format: date-time - type: string - lastFallbackCount: - description: lastFallbackCount is how often a fallback to a - previous revision happened. - type: integer - nodeName: - description: nodeName is the name of the node - type: string - targetRevision: - description: |- - targetRevision is the generation of the deployment we're trying to apply. - Can not be set on creation of a nodeStatus. - format: int32 - type: integer - required: - - nodeName - type: object - x-kubernetes-validations: - - fieldPath: .currentRevision - message: cannot be unset once set - rule: has(self.currentRevision) || !has(oldSelf.currentRevision) - - fieldPath: .currentRevision - message: currentRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.currentRevision) - - fieldPath: .targetRevision - message: targetRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.targetRevision) - type: array - x-kubernetes-list-map-keys: - - nodeName - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: no more than 1 node status may have a nonzero targetRevision - rule: size(self.filter(status, status.?targetRevision.orValue(0) - != 0)) <= 1 - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - serviceAccountIssuers: - description: |- - serviceAccountIssuers tracks history of used service account issuers. - The item without expiration time represents the currently used service account issuer. - The other items represents service account issuers that were used previously and are still being trusted. - The default expiration for the items is set by the platform and it defaults to 24h. - see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection - items: - properties: - expirationTime: - description: |- - expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list - of service account issuers. - format: date-time - type: string - name: - description: name is the name of the service account issuer - type: string - type: object - type: array - x-kubernetes-list-type: atomic - version: - description: version is the level this availability applies to - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml rename to vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml index ba2587dc9d..6d2d44026a 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml @@ -6,7 +6,6 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade name: kubeapiservers.operator.openshift.io spec: group: operator.openshift.io diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml index 45486c2700..19b319fcb8 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml @@ -125,8 +125,17 @@ spec: kmsKeyARN sets the cluster default storage class to encrypt volumes with a user-defined KMS key, rather than the default KMS key used by AWS. The value may be either the ARN or Alias ARN of a KMS key. - pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)\/.*$ + + The ARN must follow the format: arn::kms:::(key|alias)/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, aws-iso, aws-iso-b, aws-iso-e, aws-iso-f, or aws-eusc), + is the AWS region, + is a 12-digit numeric identifier for the AWS account, + is the KMS key ID or alias name. type: string + x-kubernetes-validations: + - message: 'kmsKeyARN must be a valid AWS KMS key ARN in the + format: arn::kms:::(key|alias)/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)/.*$') type: object azure: description: azure is used to configure the Azure CSI driver. diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml index 1b64e9e9a1..5bb6bdddcf 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml @@ -125,8 +125,17 @@ spec: kmsKeyARN sets the cluster default storage class to encrypt volumes with a user-defined KMS key, rather than the default KMS key used by AWS. The value may be either the ARN or Alias ARN of a KMS key. - pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)\/.*$ + + The ARN must follow the format: arn::kms:::(key|alias)/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, aws-iso, aws-iso-b, aws-iso-e, aws-iso-f, or aws-eusc), + is the AWS region, + is a 12-digit numeric identifier for the AWS account, + is the KMS key ID or alias name. type: string + x-kubernetes-validations: + - message: 'kmsKeyARN must be a valid AWS KMS key ARN in the + format: arn::kms:::(key|alias)/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)/.*$') type: object azure: description: azure is used to configure the Azure CSI driver. diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml index 7029b1bde6..a03dd7d88d 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml @@ -125,8 +125,17 @@ spec: kmsKeyARN sets the cluster default storage class to encrypt volumes with a user-defined KMS key, rather than the default KMS key used by AWS. The value may be either the ARN or Alias ARN of a KMS key. - pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)\/.*$ + + The ARN must follow the format: arn::kms:::(key|alias)/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, aws-iso, aws-iso-b, aws-iso-e, aws-iso-f, or aws-eusc), + is the AWS region, + is a 12-digit numeric identifier for the AWS account, + is the KMS key ID or alias name. type: string + x-kubernetes-validations: + - message: 'kmsKeyARN must be a valid AWS KMS key ARN in the + format: arn::kms:::(key|alias)/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)/.*$') type: object azure: description: azure is used to configure the Azure CSI driver. diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml index 04758b7a19..0e925a7511 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml @@ -125,8 +125,17 @@ spec: kmsKeyARN sets the cluster default storage class to encrypt volumes with a user-defined KMS key, rather than the default KMS key used by AWS. The value may be either the ARN or Alias ARN of a KMS key. - pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)\/.*$ + + The ARN must follow the format: arn::kms:::(key|alias)/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, aws-iso, aws-iso-b, aws-iso-e, aws-iso-f, or aws-eusc), + is the AWS region, + is a 12-digit numeric identifier for the AWS account, + is the KMS key ID or alias name. type: string + x-kubernetes-validations: + - message: 'kmsKeyARN must be a valid AWS KMS key ARN in the + format: arn::kms:::(key|alias)/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)/.*$') type: object azure: description: azure is used to configure the Azure CSI driver. diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml index 04052c180e..3dc68028e0 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml @@ -125,8 +125,17 @@ spec: kmsKeyARN sets the cluster default storage class to encrypt volumes with a user-defined KMS key, rather than the default KMS key used by AWS. The value may be either the ARN or Alias ARN of a KMS key. - pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)\/.*$ + + The ARN must follow the format: arn::kms:::(key|alias)/, where: + is the AWS partition (aws, aws-cn, aws-us-gov, aws-iso, aws-iso-b, aws-iso-e, aws-iso-f, or aws-eusc), + is the AWS region, + is a 12-digit numeric identifier for the AWS account, + is the KMS key ID or alias name. type: string + x-kubernetes-validations: + - message: 'kmsKeyARN must be a valid AWS KMS key ARN in the + format: arn::kms:::(key|alias)/' + rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)/.*$') type: object azure: description: azure is used to configure the Azure CSI driver. diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml new file mode 100644 index 0000000000..fdf10772dd --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,3317 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/616 + api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Ingress + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: ingresscontrollers.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: IngressController + listKind: IngressControllerList + plural: ingresscontrollers + singular: ingresscontroller + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + IngressController describes a managed ingress controller for the cluster. The + controller can service OpenShift Route and Kubernetes Ingress resources. + + When an IngressController is created, a new ingress controller deployment is + created to allow external traffic to reach the services that expose Ingress + or Route resources. Updating this resource may lead to disruption for public + facing network connections as a new ingress controller revision may be rolled + out. + + https://kubernetes.io/docs/concepts/services-networking/ingress-controllers + + Whenever possible, sensible defaults for the platform are used. See each + field for more details. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + IngressController. + properties: + clientTLS: + description: |- + clientTLS specifies settings for requesting and verifying client + certificates, which can be used to enable mutual TLS for + edge-terminated and reencrypt routes. + properties: + allowedSubjectPatterns: + description: |- + allowedSubjectPatterns specifies a list of regular expressions that + should be matched against the distinguished name on a valid client + certificate to filter requests. The regular expressions must use + PCRE syntax. If this list is empty, no filtering is performed. If + the list is nonempty, then at least one pattern must match a client + certificate's distinguished name or else the ingress controller + rejects the certificate and denies the connection. + items: + type: string + type: array + x-kubernetes-list-type: atomic + clientCA: + description: |- + clientCA specifies a configmap containing the PEM-encoded CA + certificate bundle that should be used to verify a client's + certificate. The administrator must create this configmap in the + openshift-config namespace. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + clientCertificatePolicy: + description: |- + clientCertificatePolicy specifies whether the ingress controller + requires clients to provide certificates. This field accepts the + values "Required" or "Optional". + + Note that the ingress controller only checks client certificates for + edge-terminated and reencrypt TLS routes; it cannot check + certificates for cleartext HTTP or passthrough TLS routes. + enum: + - "" + - Required + - Optional + type: string + required: + - clientCA + - clientCertificatePolicy + type: object + closedClientConnectionPolicy: + default: Continue + description: |- + closedClientConnectionPolicy controls how the IngressController + behaves when the client closes the TCP connection while the TLS + handshake or HTTP request is in progress. This option maps directly + to HAProxy’s "abortonclose" option. + + Valid values are: "Abort" and "Continue". + The default value is "Continue". + + When set to "Abort", the router will stop processing the TLS handshake + if it is in progress, and it will not send an HTTP request to the backend server + if the request has not yet been sent when the client closes the connection. + + When set to "Continue", the router will complete the TLS handshake + if it is in progress, or send an HTTP request to the backend server + and wait for the backend server's response, regardless of + whether the client has closed the connection. + + Setting "Abort" can help free CPU resources otherwise spent on TLS computation + for connections the client has already closed, and can reduce request queue + size, thereby reducing the load on saturated backend servers. + + Important Considerations: + + - The default policy ("Continue") is HTTP-compliant, and requests + for aborted client connections will still be served. + Use the "Continue" policy to allow a client to send a request + and then immediately close its side of the connection while + still receiving a response on the half-closed connection. + + - When clients use keep-alive connections, the most common case for premature + closure is when the user wants to cancel the transfer or when a timeout + occurs. In that case, the "Abort" policy may be used to reduce resource consumption. + + - Using RSA keys larger than 2048 bits can significantly slow down + TLS computations. Consider using the "Abort" policy to reduce CPU usage. + enum: + - Abort + - Continue + type: string + defaultCertificate: + description: |- + defaultCertificate is a reference to a secret containing the default + certificate served by the ingress controller. When Routes don't specify + their own certificate, defaultCertificate is used. + + The secret must contain the following keys and data: + + tls.crt: certificate file contents + tls.key: key file contents + + If unset, a wildcard certificate is automatically generated and used. The + certificate is valid for the ingress controller domain (and subdomains) and + the generated certificate's CA will be automatically integrated with the + cluster's trust store. + + If a wildcard certificate is used and shared by multiple + HTTP/2 enabled routes (which implies ALPN) then clients + (i.e., notably browsers) are at liberty to reuse open + connections. This means a client can reuse a connection to + another route and that is likely to fail. This behaviour is + generally known as connection coalescing. + + The in-use certificate (whether generated or user-specified) will be + automatically integrated with OpenShift's built-in OAuth server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + domain: + description: |- + domain is a DNS name serviced by the ingress controller and is used to + configure multiple features: + + * For the LoadBalancerService endpoint publishing strategy, domain is + used to configure DNS records. See endpointPublishingStrategy. + + * When using a generated default certificate, the certificate will be valid + for domain and its subdomains. See defaultCertificate. + + * The value is published to individual Route statuses so that end-users + know where to target external DNS records. + + domain must be unique among all IngressControllers, and cannot be + updated. + + If empty, defaults to ingress.config.openshift.io/cluster .spec.domain. + + The domain value must be a valid DNS name. It must consist of lowercase + alphanumeric characters, '-' or '.', and each label must start and end + with an alphanumeric character and not exceed 63 characters. Maximum + length of a valid DNS domain is 253 characters. + + The implementation may add a prefix such as "router-default." to the domain + when constructing the router canonical hostname. To ensure the resulting + hostname does not exceed the DNS maximum length of 253 characters, + the domain length is additionally validated at the IngressController object + level. For the maximum length of the domain value itself, the shortest + possible variant of the prefix and the ingress controller name was considered + for example "router-a." + maxLength: 244 + type: string + x-kubernetes-validations: + - message: domain must consist of lower case alphanumeric characters, + '-' or '.', and must start and end with an alphanumeric character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + - message: each DNS label must not exceed 63 characters + rule: self.split('.').all(label, size(label) <= 63) + endpointPublishingStrategy: + description: |- + endpointPublishingStrategy is used to publish the ingress controller + endpoints to other networks, enable load balancer integrations, etc. + + If unset, the default is based on + infrastructure.config.openshift.io/cluster .status.platform: + + AWS: LoadBalancerService (with External scope) + Azure: LoadBalancerService (with External scope) + GCP: LoadBalancerService (with External scope) + IBMCloud: LoadBalancerService (with External scope) + AlibabaCloud: LoadBalancerService (with External scope) + Libvirt: HostNetwork + + Any other platform types (including None) default to HostNetwork. + + endpointPublishingStrategy cannot be updated. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + httpCompression: + description: |- + httpCompression defines a policy for HTTP traffic compression. + By default, there is no HTTP compression. + properties: + mimeTypes: + description: |- + mimeTypes is a list of MIME types that should have compression applied. + This list can be empty, in which case the ingress controller does not apply compression. + + Note: Not all MIME types benefit from compression, but HAProxy will still use resources + to try to compress if instructed to. Generally speaking, text (html, css, js, etc.) + formats benefit from compression, but formats that are already compressed (image, + audio, video, etc.) benefit little in exchange for the time and cpu spent on compressing + again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2 + items: + description: |- + CompressionMIMEType defines the format of a single MIME type. + E.g. "text/css; charset=utf-8", "text/html", "text/*", "image/svg+xml", + "application/octet-stream", "X-custom/customsub", etc. + + The format should follow the Content-Type definition in RFC 1341: + Content-Type := type "/" subtype *[";" parameter] + - The type in Content-Type can be one of: + application, audio, image, message, multipart, text, video, or a custom + type preceded by "X-" and followed by a token as defined below. + - The token is a string of at least one character, and not containing white + space, control characters, or any of the characters in the tspecials set. + - The tspecials set contains the characters ()<>@,;:\"/[]?.= + - The subtype in Content-Type is also a token. + - The optional parameter/s following the subtype are defined as: + token "=" (token / quoted-string) + - The quoted-string, as defined in RFC 822, is surrounded by double quotes + and can contain white space plus any character EXCEPT \, ", and CR. + It can also contain any single ASCII character as long as it is escaped by \. + pattern: ^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$ + type: string + type: array + x-kubernetes-list-type: set + type: object + httpEmptyRequestsPolicy: + default: Respond + description: |- + httpEmptyRequestsPolicy describes how HTTP connections should be + handled if the connection times out before a request is received. + Allowed values for this field are "Respond" and "Ignore". If the + field is set to "Respond", the ingress controller sends an HTTP 400 + or 408 response, logs the connection (if access logging is enabled), + and counts the connection in the appropriate metrics. If the field + is set to "Ignore", the ingress controller closes the connection + without sending a response, logging the connection, or incrementing + metrics. The default value is "Respond". + + Typically, these connections come from load balancers' health probes + or Web browsers' speculative connections ("preconnect") and can be + safely ignored. However, these requests may also be caused by + network errors, and so setting this field to "Ignore" may impede + detection and diagnosis of problems. In addition, these requests may + be caused by port scans, in which case logging empty requests may aid + in detecting intrusion attempts. + enum: + - Respond + - Ignore + type: string + httpErrorCodePages: + description: |- + httpErrorCodePages specifies a configmap with custom error pages. + The administrator must create this configmap in the openshift-config namespace. + This configmap should have keys in the format "error-page-.http", + where is an HTTP error code. + For example, "error-page-503.http" defines an error page for HTTP 503 responses. + Currently only error pages for 503 and 404 responses can be customized. + Each value in the configmap should be the full response, including HTTP headers. + Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http + If this field is empty, the ingress controller uses the default error pages. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + httpHeaders: + description: |- + httpHeaders defines policy for HTTP headers. + + If this field is empty, the default values are used. + properties: + actions: + description: |- + actions specifies options for modifying headers and their values. + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be modified for TLS passthrough + connections. + Setting the HSTS (`Strict-Transport-Security`) header is not supported via actions. `Strict-Transport-Security` + may only be configured using the "haproxy.router.openshift.io/hsts_header" route annotation, and only in + accordance with the policy specified in Ingress.Spec.RequiredHSTSPolicies. + Any actions defined here are applied after any actions related to the following other fields: + cache-control, spec.clientTLS, + spec.httpHeaders.forwardedHeaderPolicy, spec.httpHeaders.uniqueId, + and spec.httpHeaders.headerNameCaseAdjustments. + In case of HTTP request headers, the actions specified in spec.httpHeaders.actions on the Route will be executed after + the actions specified in the IngressController's spec.httpHeaders.actions field. + In case of HTTP response headers, the actions specified in spec.httpHeaders.actions on the IngressController will be + executed after the actions specified in the Route's spec.httpHeaders.actions field. + Headers set using this API cannot be captured for use in access logs. + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. Please refer to the documentation + for that API field for more details. + properties: + request: + description: |- + request is a list of HTTP request headers to modify. + Actions defined here will modify the request headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for request headers will be executed before Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 request header actions may be configured. + Sample fetchers allowed are "req.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[req.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are req.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:req\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + response: + description: |- + response is a list of HTTP response headers to modify. + Actions defined here will modify the response headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for response headers will be executed after Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 response header actions may be configured. + Sample fetchers allowed are "res.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[res.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are res.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:res\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + type: object + forwardedHeaderPolicy: + description: |- + forwardedHeaderPolicy specifies when and how the IngressController + sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, + X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version + HTTP headers. The value may be one of the following: + + * "Append", which specifies that the IngressController appends the + headers, preserving existing headers. + + * "Replace", which specifies that the IngressController sets the + headers, replacing any existing Forwarded or X-Forwarded-* headers. + + * "IfNone", which specifies that the IngressController sets the + headers if they are not already set. + + * "Never", which specifies that the IngressController never sets the + headers, preserving any existing headers. + + By default, the policy is "Append". + enum: + - Append + - Replace + - IfNone + - Never + type: string + headerNameCaseAdjustments: + description: |- + headerNameCaseAdjustments specifies case adjustments that can be + applied to HTTP header names. Each adjustment is specified as an + HTTP header name with the desired capitalization. For example, + specifying "X-Forwarded-For" indicates that the "x-forwarded-for" + HTTP header should be adjusted to have the specified capitalization. + + These adjustments are only applied to cleartext, edge-terminated, and + re-encrypt routes, and only when using HTTP/1. + + For request headers, these adjustments are applied only for routes + that have the haproxy.router.openshift.io/h1-adjust-case=true + annotation. For response headers, these adjustments are applied to + all HTTP responses. + + If this field is empty, no request headers are adjusted. + items: + description: |- + IngressControllerHTTPHeaderNameCaseAdjustment is the name of an HTTP header + (for example, "X-Forwarded-For") in the desired capitalization. The value + must be a valid HTTP header name as defined in RFC 2616 section 4.2. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + uniqueId: + description: |- + uniqueId describes configuration for a custom HTTP header that the + ingress controller should inject into incoming HTTP requests. + Typically, this header is configured to have a value that is unique + to the HTTP request. The header can be used by applications or + included in access logs to facilitate tracing individual HTTP + requests. + + If this field is empty, no such header is injected into requests. + properties: + format: + description: |- + format specifies the format for the injected HTTP header's value. + This field has no effect unless name is specified. For the + HAProxy-based ingress controller implementation, this format uses the + same syntax as the HTTP log format. If the field is empty, the + default value is "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid"; see the + corresponding HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + maxLength: 1024 + minLength: 0 + pattern: ^(%(%|(\{[-+]?[QXE](,[-+]?[QXE])*\})?([A-Za-z]+|\[[.0-9A-Z_a-z]+(\([^)]+\))?(,[.0-9A-Z_a-z]+(\([^)]+\))?)*\]))|[^%[:cntrl:]])*$ + type: string + name: + description: |- + name specifies the name of the HTTP header (for example, "unique-id") + that the ingress controller should inject into HTTP requests. The + field's value must be a valid HTTP header name as defined in RFC 2616 + section 4.2. If the field is empty, no header is injected. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + type: object + type: object + idleConnectionTerminationPolicy: + default: Immediate + description: |- + idleConnectionTerminationPolicy maps directly to HAProxy's + idle-close-on-response option and controls whether HAProxy + keeps idle frontend connections open during a soft stop + (router reload). + + Allowed values for this field are "Immediate" and + "Deferred". The default value is "Immediate". + + When set to "Immediate", idle connections are closed + immediately during router reloads. This ensures immediate + propagation of route changes but may impact clients + sensitive to connection resets. + + When set to "Deferred", HAProxy will maintain idle + connections during a soft reload instead of closing them + immediately. These connections remain open until any of the + following occurs: + + - A new request is received on the connection, in which + case HAProxy handles it in the old process and closes + the connection after sending the response. + + - HAProxy's `timeout http-keep-alive` duration expires. + By default this is 300 seconds, but it can be changed + using httpKeepAliveTimeout tuning option. + + - The client's keep-alive timeout expires, causing the + client to close the connection. + + Setting Deferred can help prevent errors in clients or load + balancers that do not properly handle connection resets. + Additionally, this option allows you to retain the pre-2.4 + HAProxy behaviour: in HAProxy version 2.2 (OpenShift + versions < 4.14), maintaining idle connections during a + soft reload was the default behaviour, but starting with + HAProxy 2.4, the default changed to closing idle + connections immediately. + + Important Consideration: + + - Using Deferred will result in temporary inconsistencies + for the first request on each persistent connection + after a route update and router reload. This request + will be processed by the old HAProxy process using its + old configuration. Subsequent requests will use the + updated configuration. + + Operational Considerations: + + - Keeping idle connections open during reloads may lead + to an accumulation of old HAProxy processes if + connections remain idle for extended periods, + especially in environments where frequent reloads + occur. + + - Consider monitoring the number of HAProxy processes in + the router pods when Deferred is set. + + - You may need to enable or adjust the + `ingress.operator.openshift.io/hard-stop-after` + duration (configured via an annotation on the + IngressController resource) in environments with + frequent reloads to prevent resource exhaustion. + enum: + - Immediate + - Deferred + type: string + logging: + description: |- + logging defines parameters for what should be logged where. If this + field is empty, operational logs are enabled but access logs are + disabled. + properties: + access: + description: |- + access describes how the client requests should be logged. + + If this field is empty, access logging is disabled. + properties: + destination: + description: destination is where access logs go. + properties: + container: + description: |- + container holds parameters for the Container logging destination. + Present only if type is Container. + properties: + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 8192, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 8192 + minimum: 480 + type: integer + type: object + syslog: + description: |- + syslog holds parameters for a syslog endpoint. Present only if + type is Syslog. + oneOf: + - properties: + address: + format: ipv4 + - properties: + address: + format: ipv6 + properties: + address: + description: |- + address is the IP address of the syslog endpoint that receives log + messages. + type: string + facility: + description: |- + facility specifies the syslog facility of log messages. + + If this field is empty, the facility is "local1". + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + type: string + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 4096, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 4096 + minimum: 480 + type: integer + port: + description: |- + port is the UDP port number of the syslog endpoint that receives log + messages. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: + description: |- + type is the type of destination for logs. It must be one of the + following: + + * Container + + The ingress operator configures the sidecar container named "logs" on + the ingress controller pod and configures the ingress controller to + write logs to the sidecar. The logs are then available as container + logs. The expectation is that the administrator configures a custom + logging solution that reads logs from this sidecar. Note that using + container logs means that logs may be dropped if the rate of logs + exceeds the container runtime's or the custom logging solution's + capacity. + + * Syslog + + Logs are sent to a syslog endpoint. The administrator must specify + an endpoint that can receive syslog messages. The expectation is + that the administrator has configured a custom syslog instance. + enum: + - Container + - Syslog + type: string + required: + - type + type: object + httpCaptureCookies: + description: |- + httpCaptureCookies specifies HTTP cookies that should be captured in + access logs. If this field is empty, no cookies are captured. + items: + description: |- + IngressControllerCaptureHTTPCookie describes an HTTP cookie that should be + captured. + properties: + matchType: + description: |- + matchType specifies the type of match to be performed on the cookie + name. Allowed values are "Exact" for an exact string match and + "Prefix" for a string prefix match. If "Exact" is specified, a name + must be specified in the name field. If "Prefix" is provided, a + prefix must be specified in the namePrefix field. For example, + specifying matchType "Prefix" and namePrefix "foo" will capture a + cookie named "foo" or "foobar" but not one named "bar". The first + matching cookie is captured. + enum: + - Exact + - Prefix + type: string + maxLength: + description: |- + maxLength specifies a maximum length of the string that will be + logged, which includes the cookie name, cookie value, and + one-character delimiter. If the log entry exceeds this length, the + value will be truncated in the log message. Note that the ingress + controller may impose a separate bound on the total length of HTTP + headers in a request. + maximum: 1024 + minimum: 1 + type: integer + name: + description: |- + name specifies a cookie name. Its value must be a valid HTTP cookie + name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + namePrefix: + description: |- + namePrefix specifies a cookie name prefix. Its value must be a valid + HTTP cookie name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + required: + - matchType + - maxLength + type: object + maxItems: 1 + nullable: true + type: array + x-kubernetes-list-type: atomic + httpCaptureHeaders: + description: |- + httpCaptureHeaders defines HTTP headers that should be captured in + access logs. If this field is empty, no headers are captured. + + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be captured for TLS passthrough + connections. + properties: + request: + description: |- + request specifies which HTTP request headers to capture. + + If this field is empty, no request headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + response: + description: |- + response specifies which HTTP response headers to capture. + + If this field is empty, no response headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + type: object + httpLogFormat: + description: |- + httpLogFormat specifies the format of the log message for an HTTP + request. + + If this field is empty, log messages use the implementation's default + HTTP log format. For HAProxy's default HTTP log format, see the + HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + + Note that this format only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). It does not affect the log format for TLS passthrough + connections. + type: string + logEmptyRequests: + default: Log + description: |- + logEmptyRequests specifies how connections on which no request is + received should be logged. Typically, these empty requests come from + load balancers' health probes or Web browsers' speculative + connections ("preconnect"), in which case logging these requests may + be undesirable. However, these requests may also be caused by + network errors, in which case logging empty requests may be useful + for diagnosing the errors. In addition, these requests may be caused + by port scans, in which case logging empty requests may aid in + detecting intrusion attempts. Allowed values for this field are + "Log" and "Ignore". The default value is "Log". + enum: + - Log + - Ignore + type: string + required: + - destination + type: object + type: object + namespaceSelector: + description: |- + namespaceSelector is used to filter the set of namespaces serviced by the + ingress controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nodePlacement: + description: |- + nodePlacement enables explicit control over the scheduling of the ingress + controller. + + If unset, defaults are used. See NodePlacement for more details. + properties: + nodeSelector: + description: |- + nodeSelector is the node selector applied to ingress controller + deployments. + + If set, the specified selector is used and replaces the default. + + If unset, the default depends on the value of the defaultPlacement + field in the cluster config.openshift.io/v1/ingresses status. + + When defaultPlacement is Workers, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/worker: '' + + When defaultPlacement is ControlPlane, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/master: '' + + These defaults are subject to change. + + Note that using nodeSelector.matchExpressions is not supported. Only + nodeSelector.matchLabels may be used. This is a limitation of the + Kubernetes API: the pod spec does not allow complex expressions for + node selectors. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tolerations: + description: |- + tolerations is a list of tolerations applied to ingress controller + deployments. + + The default is an empty list. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + replicas: + description: |- + replicas is the desired number of ingress controller replicas. If unset, + the default depends on the value of the defaultPlacement field in the + cluster config.openshift.io/v1/ingresses status. + + The value of replicas is set based on the value of a chosen field in the + Infrastructure CR. If defaultPlacement is set to ControlPlane, the + chosen field will be controlPlaneTopology. If it is set to Workers the + chosen field will be infrastructureTopology. Replicas will then be set to 1 + or 2 based whether the chosen field's value is SingleReplica or + HighlyAvailable, respectively. + + These defaults are subject to change. + format: int32 + type: integer + routeAdmission: + description: |- + routeAdmission defines a policy for handling new route claims (for example, + to allow or deny claims across namespaces). + + If empty, defaults will be applied. See specific routeAdmission fields + for details about their defaults. + properties: + namespaceOwnership: + description: |- + namespaceOwnership describes how host name claims across namespaces should + be handled. + + Value must be one of: + + - Strict: Do not allow routes in different namespaces to claim the same host. + + - InterNamespaceAllowed: Allow routes to claim different paths of the same + host name across namespaces. + + If empty, the default is Strict. + enum: + - InterNamespaceAllowed + - Strict + type: string + wildcardPolicy: + description: |- + wildcardPolicy describes how routes with wildcard policies should + be handled for the ingress controller. WildcardPolicy controls use + of routes [1] exposed by the ingress controller based on the route's + wildcard policy. + + [1] https://github.com/openshift/api/blob/master/route/v1/types.go + + Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed + will cause admitted routes with a wildcard policy of Subdomain to stop + working. These routes must be updated to a wildcard policy of None to be + readmitted by the ingress controller. + + WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values. + + If empty, defaults to "WildcardsDisallowed". + enum: + - WildcardsAllowed + - WildcardsDisallowed + type: string + type: object + routeSelector: + description: |- + routeSelector is used to filter the set of Routes serviced by the ingress + controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. + + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + + Note that when using the Old, Intermediate, and Modern profile types, the effective + profile configuration is subject to change between releases. For example, given + a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade + to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress + controller, resulting in a rollout. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + + ciphers: + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tuningOptions: + anyOf: + - properties: + maxConnections: + enum: + - -1 + - 0 + - properties: + maxConnections: + format: int32 + maximum: 2000000 + minimum: 2000 + description: |- + tuningOptions defines parameters for adjusting the performance of + ingress controller pods. All fields are optional and will use their + respective defaults if not set. See specific tuningOptions fields for + more details. + + Setting fields within tuningOptions is generally not recommended. The + default values are suitable for most configurations. + properties: + clientFinTimeout: + description: |- + clientFinTimeout defines how long a connection will be held open while + waiting for the client response to the server/backend closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + clientTimeout: + description: |- + clientTimeout defines how long a connection will be held open while + waiting for a client response. + + If unset, the default timeout is 30s + format: duration + type: string + configurationManagement: + description: |- + configurationManagement specifies how OpenShift router should update + the HAProxy configuration. The following values are valid for this + field: + + * "ForkAndReload". + * "Dynamic". + + Omitting this field means that the user has no opinion and the + platform may choose a reasonable default. This default is subject to + change over time. The current default is "ForkAndReload". + + "ForkAndReload" means that OpenShift router should rewrite the + HAProxy configuration file and instruct HAProxy to fork and reload. + This is OpenShift router's traditional approach. + + "Dynamic" means that OpenShift router may use HAProxy's control + socket for some configuration updates and fall back to fork and + reload for other configuration updates. This is a newer approach, + which may be less mature than ForkAndReload. This setting can + improve load-balancing fairness and metrics accuracy and reduce CPU + and memory usage if HAProxy has frequent configuration updates for + route and endpoints updates. + + Note: The "Dynamic" option is currently experimental and should not + be enabled on production clusters. + enum: + - Dynamic + - ForkAndReload + type: string + connectTimeout: + description: |- + connectTimeout defines the maximum time to wait for + a connection attempt to a server/backend to succeed. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 5s. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + headerBufferBytes: + description: |- + headerBufferBytes describes how much memory should be reserved + (in bytes) for IngressController connection sessions. + Note that this value must be at least 16384 if HTTP/2 is + enabled for the IngressController (https://tools.ietf.org/html/rfc7540). + If this field is empty, the IngressController will use a default value + of 32768 bytes. + + Setting this field is generally not recommended as headerBufferBytes + values that are too small may break the IngressController and + headerBufferBytes values that are too large could cause the + IngressController to use significantly more memory than necessary. + format: int32 + minimum: 16384 + type: integer + headerBufferMaxRewriteBytes: + description: |- + headerBufferMaxRewriteBytes describes how much memory should be reserved + (in bytes) from headerBufferBytes for HTTP header rewriting + and appending for IngressController connection sessions. + Note that incoming HTTP requests will be limited to + (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning + headerBufferBytes must be greater than headerBufferMaxRewriteBytes. + If this field is empty, the IngressController will use a default value + of 8192 bytes. + + Setting this field is generally not recommended as + headerBufferMaxRewriteBytes values that are too small may break the + IngressController and headerBufferMaxRewriteBytes values that are too + large could cause the IngressController to use significantly more memory + than necessary. + format: int32 + minimum: 4096 + type: integer + healthCheckInterval: + description: |- + healthCheckInterval defines how long the router waits between two consecutive + health checks on its configured backends. This value is applied globally as + a default for all routes, but may be overridden per-route by the route annotation + "router.openshift.io/haproxy.health.check.interval". + + Expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, eg "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Setting this to less than 5s can cause excess traffic due to too frequent + TCP health checks and accompanying SYN packet storms. Alternatively, setting + this too high can result in increased latency, due to backend servers that are no + longer available, but haven't yet been detected as such. + + An empty or zero healthCheckInterval means no opinion and IngressController chooses + a default, which is subject to change over time. + Currently the default healthCheckInterval value is 5s. + + Currently the minimum allowed value is 1s and the maximum allowed value is + 2147483647ms (24.85 days). Both are subject to change over time. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + httpKeepAliveTimeout: + description: |- + httpKeepAliveTimeout defines the maximum allowed time to wait for + a new HTTP request to appear on a connection from the client to the router. + + This field expects an unsigned duration string of a decimal number, with optional + fraction and a unit suffix, e.g. "300ms", "1.5s" or "2m45s". + Valid time units are "ms", "s", "m". + The allowed range is from 1 millisecond to 15 minutes. + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 300s. + + Low values (tens of milliseconds or less) can cause clients to close and reopen connections + for each request, leading to reduced connection sharing. + For HTTP/2, special care should be taken with low values. + A few seconds is a reasonable starting point to avoid holding idle connections open + while still allowing subsequent requests to reuse the connection. + + High values (minutes or more) favor connection reuse but may cause idle + connections to linger longer. + maxLength: 16 + minLength: 1 + type: string + x-kubernetes-validations: + - message: httpKeepAliveTimeout must be a valid duration string + composed of an unsigned integer value, optionally followed + by a decimal fraction and a unit suffix (ms, s, m) + rule: self.matches('^([0-9]+(\\.[0-9]+)?(ms|s|m))+$') + - message: httpKeepAliveTimeout must be less than or equal to + 15 minutes + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) <= duration(''15m'')' + - message: httpKeepAliveTimeout must be greater than or equal + to 1 millisecond + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) >= duration(''1ms'')' + maxConnections: + description: |- + maxConnections defines the maximum number of simultaneous + connections that can be established per HAProxy process. + Increasing this value allows each ingress controller pod to + handle more connections but at the cost of additional + system resources being consumed. + + Permitted values are: empty, 0, -1, and the range + 2000-2000000. + + If this field is empty or 0, the IngressController will use + the default value of 50000, but the default is subject to + change in future releases. + + If the value is -1 then HAProxy will dynamically compute a + maximum value based on the available ulimits in the running + container. Selecting -1 (i.e., auto) will result in a large + value being computed (~520000 on OpenShift >=4.10 clusters) + and therefore each HAProxy process will incur significant + memory usage compared to the current default of 50000. + + Setting a value that is greater than the current operating + system limit will prevent the HAProxy process from + starting. + + If you choose a discrete value (e.g., 750000) and the + router pod is migrated to a new node, there's no guarantee + that that new node has identical ulimits configured. In + such a scenario the pod would fail to start. If you have + nodes with different ulimits configured (e.g., different + tuned profiles) and you choose a discrete value then the + guidance is to use -1 and let the value be computed + dynamically at runtime. + + You can monitor memory usage for router containers with the + following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}'. + + You can monitor memory usage of individual HAProxy + processes in router containers with the following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}/container_processes{container="router",namespace="openshift-ingress"}'. + format: int32 + type: integer + reloadInterval: + description: |- + reloadInterval defines the minimum interval at which the router is allowed to reload + to accept new changes. Increasing this value can prevent the accumulation of + HAProxy processes, depending on the scenario. Increasing this interval can + also lessen load imbalance on a backend's servers when using the roundrobin + balancing algorithm. Alternatively, decreasing this value may decrease latency + since updates to HAProxy's configuration can take effect more quickly. + + The value must be a time duration value; see . + Currently, the minimum value allowed is 1s, and the maximum allowed value is + 120s. Minimum and maximum allowed values may change in future versions of OpenShift. + Note that if a duration outside of these bounds is provided, the value of reloadInterval + will be capped/floored and not rejected (e.g. a duration of over 120s will be capped to + 120s; the IngressController will not reject and replace this disallowed value with + the default). + + A zero value for reloadInterval tells the IngressController to choose the default, + which is currently 5s and subject to change without notice. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Note: Setting a value significantly larger than the default of 5s can cause latency + in observing updates to routes and their endpoints. HAProxy's configuration will + be reloaded less frequently, and newly created routes will not be served until the + subsequent reload. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + serverFinTimeout: + description: |- + serverFinTimeout defines how long a connection will be held open while + waiting for the server/backend response to the client closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + serverTimeout: + description: |- + serverTimeout defines how long a connection will be held open while + waiting for a server/backend response. + + If unset, the default timeout is 30s + format: duration + type: string + threadCount: + description: |- + threadCount defines the number of threads created per HAProxy process. + Creating more threads allows each ingress controller pod to handle more + connections, at the cost of more system resources being used. HAProxy + currently supports up to 64 threads. If this field is empty, the + IngressController will use the default value. The current default is 4 + threads, but this may change in future releases. + + Setting this field is generally not recommended. Increasing the number + of HAProxy threads allows ingress controller pods to utilize more CPU + time under load, potentially starving other pods if set too high. + Reducing the number of threads may cause the ingress controller to + perform poorly. + format: int32 + maximum: 64 + minimum: 1 + type: integer + tlsInspectDelay: + description: |- + tlsInspectDelay defines how long the router can hold data to find a + matching route. + + Setting this too short can cause the router to fall back to the default + certificate for edge-terminated or reencrypt routes even when a better + matching certificate could be used. + + If unset, the default inspect delay is 5s + format: duration + type: string + tunnelTimeout: + description: |- + tunnelTimeout defines how long a tunnel connection (including + websockets) will be held open while the tunnel is idle. + + If unset, the default timeout is 1h + format: duration + type: string + type: object + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides allows specifying unsupported + configuration options. Its use is unsupported. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the IngressController. + properties: + availableReplicas: + description: |- + availableReplicas is number of observed available replicas according to the + ingress controller deployment. + format: int32 + type: integer + conditions: + description: |- + conditions is a list of conditions and their status. + + Available means the ingress controller deployment is available and + servicing route and ingress resources (i.e, .status.availableReplicas + equals .spec.replicas) + + There are additional conditions which indicate the status of other + ingress controller features and capabilities. + + * LoadBalancerManaged + - True if the following conditions are met: + * The endpoint publishing strategy requires a service load balancer. + - False if any of those conditions are unsatisfied. + + * LoadBalancerReady + - True if the following conditions are met: + * A load balancer is managed. + * The load balancer is ready. + - False if any of those conditions are unsatisfied. + + * DNSManaged + - True if the following conditions are met: + * The endpoint publishing strategy and platform support DNS. + * The ingress controller domain is set. + * dns.config.openshift.io/cluster configures DNS zones. + - False if any of those conditions are unsatisfied. + + * DNSReady + - True if the following conditions are met: + * DNS is managed. + * DNS records have been successfully created. + - False if any of those conditions are unsatisfied. + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + domain: + description: domain is the actual domain in use. + type: string + endpointPublishingStrategy: + description: endpointPublishingStrategy is the actual strategy in + use. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + namespaceSelector: + description: namespaceSelector is the actual namespaceSelector in + use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + observedGeneration: + description: observedGeneration is the most recent generation observed. + format: int64 + type: integer + routeSelector: + description: routeSelector is the actual routeSelector in use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: |- + selector is a label selector, in string format, for ingress controller pods + corresponding to the IngressController. The number of matching pods should + equal the value of availableReplicas. + type: string + tlsProfile: + description: tlsProfile is the TLS connection configuration that is + in effect. + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + + ciphers: + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: The combined 'router-' + metadata.name + '.' + .spec.domain cannot + exceed 253 characters + rule: '!has(self.spec.domain) || size(''router-'' + self.metadata.name + + ''.'' + self.spec.domain) <= 253' + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.selector + specReplicasPath: .spec.replicas + statusReplicasPath: .status.availableReplicas + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml new file mode 100644 index 0000000000..97c3ca8c40 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml @@ -0,0 +1,3286 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/616 + api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Ingress + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: ingresscontrollers.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: IngressController + listKind: IngressControllerList + plural: ingresscontrollers + singular: ingresscontroller + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + IngressController describes a managed ingress controller for the cluster. The + controller can service OpenShift Route and Kubernetes Ingress resources. + + When an IngressController is created, a new ingress controller deployment is + created to allow external traffic to reach the services that expose Ingress + or Route resources. Updating this resource may lead to disruption for public + facing network connections as a new ingress controller revision may be rolled + out. + + https://kubernetes.io/docs/concepts/services-networking/ingress-controllers + + Whenever possible, sensible defaults for the platform are used. See each + field for more details. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + IngressController. + properties: + clientTLS: + description: |- + clientTLS specifies settings for requesting and verifying client + certificates, which can be used to enable mutual TLS for + edge-terminated and reencrypt routes. + properties: + allowedSubjectPatterns: + description: |- + allowedSubjectPatterns specifies a list of regular expressions that + should be matched against the distinguished name on a valid client + certificate to filter requests. The regular expressions must use + PCRE syntax. If this list is empty, no filtering is performed. If + the list is nonempty, then at least one pattern must match a client + certificate's distinguished name or else the ingress controller + rejects the certificate and denies the connection. + items: + type: string + type: array + x-kubernetes-list-type: atomic + clientCA: + description: |- + clientCA specifies a configmap containing the PEM-encoded CA + certificate bundle that should be used to verify a client's + certificate. The administrator must create this configmap in the + openshift-config namespace. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + clientCertificatePolicy: + description: |- + clientCertificatePolicy specifies whether the ingress controller + requires clients to provide certificates. This field accepts the + values "Required" or "Optional". + + Note that the ingress controller only checks client certificates for + edge-terminated and reencrypt TLS routes; it cannot check + certificates for cleartext HTTP or passthrough TLS routes. + enum: + - "" + - Required + - Optional + type: string + required: + - clientCA + - clientCertificatePolicy + type: object + closedClientConnectionPolicy: + default: Continue + description: |- + closedClientConnectionPolicy controls how the IngressController + behaves when the client closes the TCP connection while the TLS + handshake or HTTP request is in progress. This option maps directly + to HAProxy’s "abortonclose" option. + + Valid values are: "Abort" and "Continue". + The default value is "Continue". + + When set to "Abort", the router will stop processing the TLS handshake + if it is in progress, and it will not send an HTTP request to the backend server + if the request has not yet been sent when the client closes the connection. + + When set to "Continue", the router will complete the TLS handshake + if it is in progress, or send an HTTP request to the backend server + and wait for the backend server's response, regardless of + whether the client has closed the connection. + + Setting "Abort" can help free CPU resources otherwise spent on TLS computation + for connections the client has already closed, and can reduce request queue + size, thereby reducing the load on saturated backend servers. + + Important Considerations: + + - The default policy ("Continue") is HTTP-compliant, and requests + for aborted client connections will still be served. + Use the "Continue" policy to allow a client to send a request + and then immediately close its side of the connection while + still receiving a response on the half-closed connection. + + - When clients use keep-alive connections, the most common case for premature + closure is when the user wants to cancel the transfer or when a timeout + occurs. In that case, the "Abort" policy may be used to reduce resource consumption. + + - Using RSA keys larger than 2048 bits can significantly slow down + TLS computations. Consider using the "Abort" policy to reduce CPU usage. + enum: + - Abort + - Continue + type: string + defaultCertificate: + description: |- + defaultCertificate is a reference to a secret containing the default + certificate served by the ingress controller. When Routes don't specify + their own certificate, defaultCertificate is used. + + The secret must contain the following keys and data: + + tls.crt: certificate file contents + tls.key: key file contents + + If unset, a wildcard certificate is automatically generated and used. The + certificate is valid for the ingress controller domain (and subdomains) and + the generated certificate's CA will be automatically integrated with the + cluster's trust store. + + If a wildcard certificate is used and shared by multiple + HTTP/2 enabled routes (which implies ALPN) then clients + (i.e., notably browsers) are at liberty to reuse open + connections. This means a client can reuse a connection to + another route and that is likely to fail. This behaviour is + generally known as connection coalescing. + + The in-use certificate (whether generated or user-specified) will be + automatically integrated with OpenShift's built-in OAuth server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + domain: + description: |- + domain is a DNS name serviced by the ingress controller and is used to + configure multiple features: + + * For the LoadBalancerService endpoint publishing strategy, domain is + used to configure DNS records. See endpointPublishingStrategy. + + * When using a generated default certificate, the certificate will be valid + for domain and its subdomains. See defaultCertificate. + + * The value is published to individual Route statuses so that end-users + know where to target external DNS records. + + domain must be unique among all IngressControllers, and cannot be + updated. + + If empty, defaults to ingress.config.openshift.io/cluster .spec.domain. + + The domain value must be a valid DNS name. It must consist of lowercase + alphanumeric characters, '-' or '.', and each label must start and end + with an alphanumeric character and not exceed 63 characters. Maximum + length of a valid DNS domain is 253 characters. + + The implementation may add a prefix such as "router-default." to the domain + when constructing the router canonical hostname. To ensure the resulting + hostname does not exceed the DNS maximum length of 253 characters, + the domain length is additionally validated at the IngressController object + level. For the maximum length of the domain value itself, the shortest + possible variant of the prefix and the ingress controller name was considered + for example "router-a." + maxLength: 244 + type: string + x-kubernetes-validations: + - message: domain must consist of lower case alphanumeric characters, + '-' or '.', and must start and end with an alphanumeric character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + - message: each DNS label must not exceed 63 characters + rule: self.split('.').all(label, size(label) <= 63) + endpointPublishingStrategy: + description: |- + endpointPublishingStrategy is used to publish the ingress controller + endpoints to other networks, enable load balancer integrations, etc. + + If unset, the default is based on + infrastructure.config.openshift.io/cluster .status.platform: + + AWS: LoadBalancerService (with External scope) + Azure: LoadBalancerService (with External scope) + GCP: LoadBalancerService (with External scope) + IBMCloud: LoadBalancerService (with External scope) + AlibabaCloud: LoadBalancerService (with External scope) + Libvirt: HostNetwork + + Any other platform types (including None) default to HostNetwork. + + endpointPublishingStrategy cannot be updated. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + httpCompression: + description: |- + httpCompression defines a policy for HTTP traffic compression. + By default, there is no HTTP compression. + properties: + mimeTypes: + description: |- + mimeTypes is a list of MIME types that should have compression applied. + This list can be empty, in which case the ingress controller does not apply compression. + + Note: Not all MIME types benefit from compression, but HAProxy will still use resources + to try to compress if instructed to. Generally speaking, text (html, css, js, etc.) + formats benefit from compression, but formats that are already compressed (image, + audio, video, etc.) benefit little in exchange for the time and cpu spent on compressing + again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2 + items: + description: |- + CompressionMIMEType defines the format of a single MIME type. + E.g. "text/css; charset=utf-8", "text/html", "text/*", "image/svg+xml", + "application/octet-stream", "X-custom/customsub", etc. + + The format should follow the Content-Type definition in RFC 1341: + Content-Type := type "/" subtype *[";" parameter] + - The type in Content-Type can be one of: + application, audio, image, message, multipart, text, video, or a custom + type preceded by "X-" and followed by a token as defined below. + - The token is a string of at least one character, and not containing white + space, control characters, or any of the characters in the tspecials set. + - The tspecials set contains the characters ()<>@,;:\"/[]?.= + - The subtype in Content-Type is also a token. + - The optional parameter/s following the subtype are defined as: + token "=" (token / quoted-string) + - The quoted-string, as defined in RFC 822, is surrounded by double quotes + and can contain white space plus any character EXCEPT \, ", and CR. + It can also contain any single ASCII character as long as it is escaped by \. + pattern: ^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$ + type: string + type: array + x-kubernetes-list-type: set + type: object + httpEmptyRequestsPolicy: + default: Respond + description: |- + httpEmptyRequestsPolicy describes how HTTP connections should be + handled if the connection times out before a request is received. + Allowed values for this field are "Respond" and "Ignore". If the + field is set to "Respond", the ingress controller sends an HTTP 400 + or 408 response, logs the connection (if access logging is enabled), + and counts the connection in the appropriate metrics. If the field + is set to "Ignore", the ingress controller closes the connection + without sending a response, logging the connection, or incrementing + metrics. The default value is "Respond". + + Typically, these connections come from load balancers' health probes + or Web browsers' speculative connections ("preconnect") and can be + safely ignored. However, these requests may also be caused by + network errors, and so setting this field to "Ignore" may impede + detection and diagnosis of problems. In addition, these requests may + be caused by port scans, in which case logging empty requests may aid + in detecting intrusion attempts. + enum: + - Respond + - Ignore + type: string + httpErrorCodePages: + description: |- + httpErrorCodePages specifies a configmap with custom error pages. + The administrator must create this configmap in the openshift-config namespace. + This configmap should have keys in the format "error-page-.http", + where is an HTTP error code. + For example, "error-page-503.http" defines an error page for HTTP 503 responses. + Currently only error pages for 503 and 404 responses can be customized. + Each value in the configmap should be the full response, including HTTP headers. + Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http + If this field is empty, the ingress controller uses the default error pages. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + httpHeaders: + description: |- + httpHeaders defines policy for HTTP headers. + + If this field is empty, the default values are used. + properties: + actions: + description: |- + actions specifies options for modifying headers and their values. + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be modified for TLS passthrough + connections. + Setting the HSTS (`Strict-Transport-Security`) header is not supported via actions. `Strict-Transport-Security` + may only be configured using the "haproxy.router.openshift.io/hsts_header" route annotation, and only in + accordance with the policy specified in Ingress.Spec.RequiredHSTSPolicies. + Any actions defined here are applied after any actions related to the following other fields: + cache-control, spec.clientTLS, + spec.httpHeaders.forwardedHeaderPolicy, spec.httpHeaders.uniqueId, + and spec.httpHeaders.headerNameCaseAdjustments. + In case of HTTP request headers, the actions specified in spec.httpHeaders.actions on the Route will be executed after + the actions specified in the IngressController's spec.httpHeaders.actions field. + In case of HTTP response headers, the actions specified in spec.httpHeaders.actions on the IngressController will be + executed after the actions specified in the Route's spec.httpHeaders.actions field. + Headers set using this API cannot be captured for use in access logs. + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. Please refer to the documentation + for that API field for more details. + properties: + request: + description: |- + request is a list of HTTP request headers to modify. + Actions defined here will modify the request headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for request headers will be executed before Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 request header actions may be configured. + Sample fetchers allowed are "req.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[req.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are req.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:req\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + response: + description: |- + response is a list of HTTP response headers to modify. + Actions defined here will modify the response headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for response headers will be executed after Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 response header actions may be configured. + Sample fetchers allowed are "res.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[res.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are res.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:res\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + type: object + forwardedHeaderPolicy: + description: |- + forwardedHeaderPolicy specifies when and how the IngressController + sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, + X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version + HTTP headers. The value may be one of the following: + + * "Append", which specifies that the IngressController appends the + headers, preserving existing headers. + + * "Replace", which specifies that the IngressController sets the + headers, replacing any existing Forwarded or X-Forwarded-* headers. + + * "IfNone", which specifies that the IngressController sets the + headers if they are not already set. + + * "Never", which specifies that the IngressController never sets the + headers, preserving any existing headers. + + By default, the policy is "Append". + enum: + - Append + - Replace + - IfNone + - Never + type: string + headerNameCaseAdjustments: + description: |- + headerNameCaseAdjustments specifies case adjustments that can be + applied to HTTP header names. Each adjustment is specified as an + HTTP header name with the desired capitalization. For example, + specifying "X-Forwarded-For" indicates that the "x-forwarded-for" + HTTP header should be adjusted to have the specified capitalization. + + These adjustments are only applied to cleartext, edge-terminated, and + re-encrypt routes, and only when using HTTP/1. + + For request headers, these adjustments are applied only for routes + that have the haproxy.router.openshift.io/h1-adjust-case=true + annotation. For response headers, these adjustments are applied to + all HTTP responses. + + If this field is empty, no request headers are adjusted. + items: + description: |- + IngressControllerHTTPHeaderNameCaseAdjustment is the name of an HTTP header + (for example, "X-Forwarded-For") in the desired capitalization. The value + must be a valid HTTP header name as defined in RFC 2616 section 4.2. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + uniqueId: + description: |- + uniqueId describes configuration for a custom HTTP header that the + ingress controller should inject into incoming HTTP requests. + Typically, this header is configured to have a value that is unique + to the HTTP request. The header can be used by applications or + included in access logs to facilitate tracing individual HTTP + requests. + + If this field is empty, no such header is injected into requests. + properties: + format: + description: |- + format specifies the format for the injected HTTP header's value. + This field has no effect unless name is specified. For the + HAProxy-based ingress controller implementation, this format uses the + same syntax as the HTTP log format. If the field is empty, the + default value is "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid"; see the + corresponding HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + maxLength: 1024 + minLength: 0 + pattern: ^(%(%|(\{[-+]?[QXE](,[-+]?[QXE])*\})?([A-Za-z]+|\[[.0-9A-Z_a-z]+(\([^)]+\))?(,[.0-9A-Z_a-z]+(\([^)]+\))?)*\]))|[^%[:cntrl:]])*$ + type: string + name: + description: |- + name specifies the name of the HTTP header (for example, "unique-id") + that the ingress controller should inject into HTTP requests. The + field's value must be a valid HTTP header name as defined in RFC 2616 + section 4.2. If the field is empty, no header is injected. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + type: object + type: object + idleConnectionTerminationPolicy: + default: Immediate + description: |- + idleConnectionTerminationPolicy maps directly to HAProxy's + idle-close-on-response option and controls whether HAProxy + keeps idle frontend connections open during a soft stop + (router reload). + + Allowed values for this field are "Immediate" and + "Deferred". The default value is "Immediate". + + When set to "Immediate", idle connections are closed + immediately during router reloads. This ensures immediate + propagation of route changes but may impact clients + sensitive to connection resets. + + When set to "Deferred", HAProxy will maintain idle + connections during a soft reload instead of closing them + immediately. These connections remain open until any of the + following occurs: + + - A new request is received on the connection, in which + case HAProxy handles it in the old process and closes + the connection after sending the response. + + - HAProxy's `timeout http-keep-alive` duration expires. + By default this is 300 seconds, but it can be changed + using httpKeepAliveTimeout tuning option. + + - The client's keep-alive timeout expires, causing the + client to close the connection. + + Setting Deferred can help prevent errors in clients or load + balancers that do not properly handle connection resets. + Additionally, this option allows you to retain the pre-2.4 + HAProxy behaviour: in HAProxy version 2.2 (OpenShift + versions < 4.14), maintaining idle connections during a + soft reload was the default behaviour, but starting with + HAProxy 2.4, the default changed to closing idle + connections immediately. + + Important Consideration: + + - Using Deferred will result in temporary inconsistencies + for the first request on each persistent connection + after a route update and router reload. This request + will be processed by the old HAProxy process using its + old configuration. Subsequent requests will use the + updated configuration. + + Operational Considerations: + + - Keeping idle connections open during reloads may lead + to an accumulation of old HAProxy processes if + connections remain idle for extended periods, + especially in environments where frequent reloads + occur. + + - Consider monitoring the number of HAProxy processes in + the router pods when Deferred is set. + + - You may need to enable or adjust the + `ingress.operator.openshift.io/hard-stop-after` + duration (configured via an annotation on the + IngressController resource) in environments with + frequent reloads to prevent resource exhaustion. + enum: + - Immediate + - Deferred + type: string + logging: + description: |- + logging defines parameters for what should be logged where. If this + field is empty, operational logs are enabled but access logs are + disabled. + properties: + access: + description: |- + access describes how the client requests should be logged. + + If this field is empty, access logging is disabled. + properties: + destination: + description: destination is where access logs go. + properties: + container: + description: |- + container holds parameters for the Container logging destination. + Present only if type is Container. + properties: + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 8192, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 8192 + minimum: 480 + type: integer + type: object + syslog: + description: |- + syslog holds parameters for a syslog endpoint. Present only if + type is Syslog. + oneOf: + - properties: + address: + format: ipv4 + - properties: + address: + format: ipv6 + properties: + address: + description: |- + address is the IP address of the syslog endpoint that receives log + messages. + type: string + facility: + description: |- + facility specifies the syslog facility of log messages. + + If this field is empty, the facility is "local1". + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + type: string + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 4096, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 4096 + minimum: 480 + type: integer + port: + description: |- + port is the UDP port number of the syslog endpoint that receives log + messages. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: + description: |- + type is the type of destination for logs. It must be one of the + following: + + * Container + + The ingress operator configures the sidecar container named "logs" on + the ingress controller pod and configures the ingress controller to + write logs to the sidecar. The logs are then available as container + logs. The expectation is that the administrator configures a custom + logging solution that reads logs from this sidecar. Note that using + container logs means that logs may be dropped if the rate of logs + exceeds the container runtime's or the custom logging solution's + capacity. + + * Syslog + + Logs are sent to a syslog endpoint. The administrator must specify + an endpoint that can receive syslog messages. The expectation is + that the administrator has configured a custom syslog instance. + enum: + - Container + - Syslog + type: string + required: + - type + type: object + httpCaptureCookies: + description: |- + httpCaptureCookies specifies HTTP cookies that should be captured in + access logs. If this field is empty, no cookies are captured. + items: + description: |- + IngressControllerCaptureHTTPCookie describes an HTTP cookie that should be + captured. + properties: + matchType: + description: |- + matchType specifies the type of match to be performed on the cookie + name. Allowed values are "Exact" for an exact string match and + "Prefix" for a string prefix match. If "Exact" is specified, a name + must be specified in the name field. If "Prefix" is provided, a + prefix must be specified in the namePrefix field. For example, + specifying matchType "Prefix" and namePrefix "foo" will capture a + cookie named "foo" or "foobar" but not one named "bar". The first + matching cookie is captured. + enum: + - Exact + - Prefix + type: string + maxLength: + description: |- + maxLength specifies a maximum length of the string that will be + logged, which includes the cookie name, cookie value, and + one-character delimiter. If the log entry exceeds this length, the + value will be truncated in the log message. Note that the ingress + controller may impose a separate bound on the total length of HTTP + headers in a request. + maximum: 1024 + minimum: 1 + type: integer + name: + description: |- + name specifies a cookie name. Its value must be a valid HTTP cookie + name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + namePrefix: + description: |- + namePrefix specifies a cookie name prefix. Its value must be a valid + HTTP cookie name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + required: + - matchType + - maxLength + type: object + maxItems: 1 + nullable: true + type: array + x-kubernetes-list-type: atomic + httpCaptureHeaders: + description: |- + httpCaptureHeaders defines HTTP headers that should be captured in + access logs. If this field is empty, no headers are captured. + + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be captured for TLS passthrough + connections. + properties: + request: + description: |- + request specifies which HTTP request headers to capture. + + If this field is empty, no request headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + response: + description: |- + response specifies which HTTP response headers to capture. + + If this field is empty, no response headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + type: object + httpLogFormat: + description: |- + httpLogFormat specifies the format of the log message for an HTTP + request. + + If this field is empty, log messages use the implementation's default + HTTP log format. For HAProxy's default HTTP log format, see the + HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + + Note that this format only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). It does not affect the log format for TLS passthrough + connections. + type: string + logEmptyRequests: + default: Log + description: |- + logEmptyRequests specifies how connections on which no request is + received should be logged. Typically, these empty requests come from + load balancers' health probes or Web browsers' speculative + connections ("preconnect"), in which case logging these requests may + be undesirable. However, these requests may also be caused by + network errors, in which case logging empty requests may be useful + for diagnosing the errors. In addition, these requests may be caused + by port scans, in which case logging empty requests may aid in + detecting intrusion attempts. Allowed values for this field are + "Log" and "Ignore". The default value is "Log". + enum: + - Log + - Ignore + type: string + required: + - destination + type: object + type: object + namespaceSelector: + description: |- + namespaceSelector is used to filter the set of namespaces serviced by the + ingress controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nodePlacement: + description: |- + nodePlacement enables explicit control over the scheduling of the ingress + controller. + + If unset, defaults are used. See NodePlacement for more details. + properties: + nodeSelector: + description: |- + nodeSelector is the node selector applied to ingress controller + deployments. + + If set, the specified selector is used and replaces the default. + + If unset, the default depends on the value of the defaultPlacement + field in the cluster config.openshift.io/v1/ingresses status. + + When defaultPlacement is Workers, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/worker: '' + + When defaultPlacement is ControlPlane, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/master: '' + + These defaults are subject to change. + + Note that using nodeSelector.matchExpressions is not supported. Only + nodeSelector.matchLabels may be used. This is a limitation of the + Kubernetes API: the pod spec does not allow complex expressions for + node selectors. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tolerations: + description: |- + tolerations is a list of tolerations applied to ingress controller + deployments. + + The default is an empty list. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + replicas: + description: |- + replicas is the desired number of ingress controller replicas. If unset, + the default depends on the value of the defaultPlacement field in the + cluster config.openshift.io/v1/ingresses status. + + The value of replicas is set based on the value of a chosen field in the + Infrastructure CR. If defaultPlacement is set to ControlPlane, the + chosen field will be controlPlaneTopology. If it is set to Workers the + chosen field will be infrastructureTopology. Replicas will then be set to 1 + or 2 based whether the chosen field's value is SingleReplica or + HighlyAvailable, respectively. + + These defaults are subject to change. + format: int32 + type: integer + routeAdmission: + description: |- + routeAdmission defines a policy for handling new route claims (for example, + to allow or deny claims across namespaces). + + If empty, defaults will be applied. See specific routeAdmission fields + for details about their defaults. + properties: + namespaceOwnership: + description: |- + namespaceOwnership describes how host name claims across namespaces should + be handled. + + Value must be one of: + + - Strict: Do not allow routes in different namespaces to claim the same host. + + - InterNamespaceAllowed: Allow routes to claim different paths of the same + host name across namespaces. + + If empty, the default is Strict. + enum: + - InterNamespaceAllowed + - Strict + type: string + wildcardPolicy: + description: |- + wildcardPolicy describes how routes with wildcard policies should + be handled for the ingress controller. WildcardPolicy controls use + of routes [1] exposed by the ingress controller based on the route's + wildcard policy. + + [1] https://github.com/openshift/api/blob/master/route/v1/types.go + + Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed + will cause admitted routes with a wildcard policy of Subdomain to stop + working. These routes must be updated to a wildcard policy of None to be + readmitted by the ingress controller. + + WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values. + + If empty, defaults to "WildcardsDisallowed". + enum: + - WildcardsAllowed + - WildcardsDisallowed + type: string + type: object + routeSelector: + description: |- + routeSelector is used to filter the set of Routes serviced by the ingress + controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. + + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + + Note that when using the Old, Intermediate, and Modern profile types, the effective + profile configuration is subject to change between releases. For example, given + a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade + to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress + controller, resulting in a rollout. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + + ciphers: + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tuningOptions: + anyOf: + - properties: + maxConnections: + enum: + - -1 + - 0 + - properties: + maxConnections: + format: int32 + maximum: 2000000 + minimum: 2000 + description: |- + tuningOptions defines parameters for adjusting the performance of + ingress controller pods. All fields are optional and will use their + respective defaults if not set. See specific tuningOptions fields for + more details. + + Setting fields within tuningOptions is generally not recommended. The + default values are suitable for most configurations. + properties: + clientFinTimeout: + description: |- + clientFinTimeout defines how long a connection will be held open while + waiting for the client response to the server/backend closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + clientTimeout: + description: |- + clientTimeout defines how long a connection will be held open while + waiting for a client response. + + If unset, the default timeout is 30s + format: duration + type: string + connectTimeout: + description: |- + connectTimeout defines the maximum time to wait for + a connection attempt to a server/backend to succeed. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 5s. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + headerBufferBytes: + description: |- + headerBufferBytes describes how much memory should be reserved + (in bytes) for IngressController connection sessions. + Note that this value must be at least 16384 if HTTP/2 is + enabled for the IngressController (https://tools.ietf.org/html/rfc7540). + If this field is empty, the IngressController will use a default value + of 32768 bytes. + + Setting this field is generally not recommended as headerBufferBytes + values that are too small may break the IngressController and + headerBufferBytes values that are too large could cause the + IngressController to use significantly more memory than necessary. + format: int32 + minimum: 16384 + type: integer + headerBufferMaxRewriteBytes: + description: |- + headerBufferMaxRewriteBytes describes how much memory should be reserved + (in bytes) from headerBufferBytes for HTTP header rewriting + and appending for IngressController connection sessions. + Note that incoming HTTP requests will be limited to + (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning + headerBufferBytes must be greater than headerBufferMaxRewriteBytes. + If this field is empty, the IngressController will use a default value + of 8192 bytes. + + Setting this field is generally not recommended as + headerBufferMaxRewriteBytes values that are too small may break the + IngressController and headerBufferMaxRewriteBytes values that are too + large could cause the IngressController to use significantly more memory + than necessary. + format: int32 + minimum: 4096 + type: integer + healthCheckInterval: + description: |- + healthCheckInterval defines how long the router waits between two consecutive + health checks on its configured backends. This value is applied globally as + a default for all routes, but may be overridden per-route by the route annotation + "router.openshift.io/haproxy.health.check.interval". + + Expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, eg "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Setting this to less than 5s can cause excess traffic due to too frequent + TCP health checks and accompanying SYN packet storms. Alternatively, setting + this too high can result in increased latency, due to backend servers that are no + longer available, but haven't yet been detected as such. + + An empty or zero healthCheckInterval means no opinion and IngressController chooses + a default, which is subject to change over time. + Currently the default healthCheckInterval value is 5s. + + Currently the minimum allowed value is 1s and the maximum allowed value is + 2147483647ms (24.85 days). Both are subject to change over time. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + httpKeepAliveTimeout: + description: |- + httpKeepAliveTimeout defines the maximum allowed time to wait for + a new HTTP request to appear on a connection from the client to the router. + + This field expects an unsigned duration string of a decimal number, with optional + fraction and a unit suffix, e.g. "300ms", "1.5s" or "2m45s". + Valid time units are "ms", "s", "m". + The allowed range is from 1 millisecond to 15 minutes. + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 300s. + + Low values (tens of milliseconds or less) can cause clients to close and reopen connections + for each request, leading to reduced connection sharing. + For HTTP/2, special care should be taken with low values. + A few seconds is a reasonable starting point to avoid holding idle connections open + while still allowing subsequent requests to reuse the connection. + + High values (minutes or more) favor connection reuse but may cause idle + connections to linger longer. + maxLength: 16 + minLength: 1 + type: string + x-kubernetes-validations: + - message: httpKeepAliveTimeout must be a valid duration string + composed of an unsigned integer value, optionally followed + by a decimal fraction and a unit suffix (ms, s, m) + rule: self.matches('^([0-9]+(\\.[0-9]+)?(ms|s|m))+$') + - message: httpKeepAliveTimeout must be less than or equal to + 15 minutes + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) <= duration(''15m'')' + - message: httpKeepAliveTimeout must be greater than or equal + to 1 millisecond + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) >= duration(''1ms'')' + maxConnections: + description: |- + maxConnections defines the maximum number of simultaneous + connections that can be established per HAProxy process. + Increasing this value allows each ingress controller pod to + handle more connections but at the cost of additional + system resources being consumed. + + Permitted values are: empty, 0, -1, and the range + 2000-2000000. + + If this field is empty or 0, the IngressController will use + the default value of 50000, but the default is subject to + change in future releases. + + If the value is -1 then HAProxy will dynamically compute a + maximum value based on the available ulimits in the running + container. Selecting -1 (i.e., auto) will result in a large + value being computed (~520000 on OpenShift >=4.10 clusters) + and therefore each HAProxy process will incur significant + memory usage compared to the current default of 50000. + + Setting a value that is greater than the current operating + system limit will prevent the HAProxy process from + starting. + + If you choose a discrete value (e.g., 750000) and the + router pod is migrated to a new node, there's no guarantee + that that new node has identical ulimits configured. In + such a scenario the pod would fail to start. If you have + nodes with different ulimits configured (e.g., different + tuned profiles) and you choose a discrete value then the + guidance is to use -1 and let the value be computed + dynamically at runtime. + + You can monitor memory usage for router containers with the + following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}'. + + You can monitor memory usage of individual HAProxy + processes in router containers with the following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}/container_processes{container="router",namespace="openshift-ingress"}'. + format: int32 + type: integer + reloadInterval: + description: |- + reloadInterval defines the minimum interval at which the router is allowed to reload + to accept new changes. Increasing this value can prevent the accumulation of + HAProxy processes, depending on the scenario. Increasing this interval can + also lessen load imbalance on a backend's servers when using the roundrobin + balancing algorithm. Alternatively, decreasing this value may decrease latency + since updates to HAProxy's configuration can take effect more quickly. + + The value must be a time duration value; see . + Currently, the minimum value allowed is 1s, and the maximum allowed value is + 120s. Minimum and maximum allowed values may change in future versions of OpenShift. + Note that if a duration outside of these bounds is provided, the value of reloadInterval + will be capped/floored and not rejected (e.g. a duration of over 120s will be capped to + 120s; the IngressController will not reject and replace this disallowed value with + the default). + + A zero value for reloadInterval tells the IngressController to choose the default, + which is currently 5s and subject to change without notice. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Note: Setting a value significantly larger than the default of 5s can cause latency + in observing updates to routes and their endpoints. HAProxy's configuration will + be reloaded less frequently, and newly created routes will not be served until the + subsequent reload. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + serverFinTimeout: + description: |- + serverFinTimeout defines how long a connection will be held open while + waiting for the server/backend response to the client closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + serverTimeout: + description: |- + serverTimeout defines how long a connection will be held open while + waiting for a server/backend response. + + If unset, the default timeout is 30s + format: duration + type: string + threadCount: + description: |- + threadCount defines the number of threads created per HAProxy process. + Creating more threads allows each ingress controller pod to handle more + connections, at the cost of more system resources being used. HAProxy + currently supports up to 64 threads. If this field is empty, the + IngressController will use the default value. The current default is 4 + threads, but this may change in future releases. + + Setting this field is generally not recommended. Increasing the number + of HAProxy threads allows ingress controller pods to utilize more CPU + time under load, potentially starving other pods if set too high. + Reducing the number of threads may cause the ingress controller to + perform poorly. + format: int32 + maximum: 64 + minimum: 1 + type: integer + tlsInspectDelay: + description: |- + tlsInspectDelay defines how long the router can hold data to find a + matching route. + + Setting this too short can cause the router to fall back to the default + certificate for edge-terminated or reencrypt routes even when a better + matching certificate could be used. + + If unset, the default inspect delay is 5s + format: duration + type: string + tunnelTimeout: + description: |- + tunnelTimeout defines how long a tunnel connection (including + websockets) will be held open while the tunnel is idle. + + If unset, the default timeout is 1h + format: duration + type: string + type: object + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides allows specifying unsupported + configuration options. Its use is unsupported. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the IngressController. + properties: + availableReplicas: + description: |- + availableReplicas is number of observed available replicas according to the + ingress controller deployment. + format: int32 + type: integer + conditions: + description: |- + conditions is a list of conditions and their status. + + Available means the ingress controller deployment is available and + servicing route and ingress resources (i.e, .status.availableReplicas + equals .spec.replicas) + + There are additional conditions which indicate the status of other + ingress controller features and capabilities. + + * LoadBalancerManaged + - True if the following conditions are met: + * The endpoint publishing strategy requires a service load balancer. + - False if any of those conditions are unsatisfied. + + * LoadBalancerReady + - True if the following conditions are met: + * A load balancer is managed. + * The load balancer is ready. + - False if any of those conditions are unsatisfied. + + * DNSManaged + - True if the following conditions are met: + * The endpoint publishing strategy and platform support DNS. + * The ingress controller domain is set. + * dns.config.openshift.io/cluster configures DNS zones. + - False if any of those conditions are unsatisfied. + + * DNSReady + - True if the following conditions are met: + * DNS is managed. + * DNS records have been successfully created. + - False if any of those conditions are unsatisfied. + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + domain: + description: domain is the actual domain in use. + type: string + endpointPublishingStrategy: + description: endpointPublishingStrategy is the actual strategy in + use. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + namespaceSelector: + description: namespaceSelector is the actual namespaceSelector in + use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + observedGeneration: + description: observedGeneration is the most recent generation observed. + format: int64 + type: integer + routeSelector: + description: routeSelector is the actual routeSelector in use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: |- + selector is a label selector, in string format, for ingress controller pods + corresponding to the IngressController. The number of matching pods should + equal the value of availableReplicas. + type: string + tlsProfile: + description: tlsProfile is the TLS connection configuration that is + in effect. + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + + ciphers: + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: The combined 'router-' + metadata.name + '.' + .spec.domain cannot + exceed 253 characters + rule: '!has(self.spec.domain) || size(''router-'' + self.metadata.name + + ''.'' + self.spec.domain) <= 253' + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.selector + specReplicasPath: .spec.replicas + statusReplicasPath: .status.availableReplicas + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..89c366cda4 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,3317 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/616 + api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Ingress + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: ingresscontrollers.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: IngressController + listKind: IngressControllerList + plural: ingresscontrollers + singular: ingresscontroller + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + IngressController describes a managed ingress controller for the cluster. The + controller can service OpenShift Route and Kubernetes Ingress resources. + + When an IngressController is created, a new ingress controller deployment is + created to allow external traffic to reach the services that expose Ingress + or Route resources. Updating this resource may lead to disruption for public + facing network connections as a new ingress controller revision may be rolled + out. + + https://kubernetes.io/docs/concepts/services-networking/ingress-controllers + + Whenever possible, sensible defaults for the platform are used. See each + field for more details. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + IngressController. + properties: + clientTLS: + description: |- + clientTLS specifies settings for requesting and verifying client + certificates, which can be used to enable mutual TLS for + edge-terminated and reencrypt routes. + properties: + allowedSubjectPatterns: + description: |- + allowedSubjectPatterns specifies a list of regular expressions that + should be matched against the distinguished name on a valid client + certificate to filter requests. The regular expressions must use + PCRE syntax. If this list is empty, no filtering is performed. If + the list is nonempty, then at least one pattern must match a client + certificate's distinguished name or else the ingress controller + rejects the certificate and denies the connection. + items: + type: string + type: array + x-kubernetes-list-type: atomic + clientCA: + description: |- + clientCA specifies a configmap containing the PEM-encoded CA + certificate bundle that should be used to verify a client's + certificate. The administrator must create this configmap in the + openshift-config namespace. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + clientCertificatePolicy: + description: |- + clientCertificatePolicy specifies whether the ingress controller + requires clients to provide certificates. This field accepts the + values "Required" or "Optional". + + Note that the ingress controller only checks client certificates for + edge-terminated and reencrypt TLS routes; it cannot check + certificates for cleartext HTTP or passthrough TLS routes. + enum: + - "" + - Required + - Optional + type: string + required: + - clientCA + - clientCertificatePolicy + type: object + closedClientConnectionPolicy: + default: Continue + description: |- + closedClientConnectionPolicy controls how the IngressController + behaves when the client closes the TCP connection while the TLS + handshake or HTTP request is in progress. This option maps directly + to HAProxy’s "abortonclose" option. + + Valid values are: "Abort" and "Continue". + The default value is "Continue". + + When set to "Abort", the router will stop processing the TLS handshake + if it is in progress, and it will not send an HTTP request to the backend server + if the request has not yet been sent when the client closes the connection. + + When set to "Continue", the router will complete the TLS handshake + if it is in progress, or send an HTTP request to the backend server + and wait for the backend server's response, regardless of + whether the client has closed the connection. + + Setting "Abort" can help free CPU resources otherwise spent on TLS computation + for connections the client has already closed, and can reduce request queue + size, thereby reducing the load on saturated backend servers. + + Important Considerations: + + - The default policy ("Continue") is HTTP-compliant, and requests + for aborted client connections will still be served. + Use the "Continue" policy to allow a client to send a request + and then immediately close its side of the connection while + still receiving a response on the half-closed connection. + + - When clients use keep-alive connections, the most common case for premature + closure is when the user wants to cancel the transfer or when a timeout + occurs. In that case, the "Abort" policy may be used to reduce resource consumption. + + - Using RSA keys larger than 2048 bits can significantly slow down + TLS computations. Consider using the "Abort" policy to reduce CPU usage. + enum: + - Abort + - Continue + type: string + defaultCertificate: + description: |- + defaultCertificate is a reference to a secret containing the default + certificate served by the ingress controller. When Routes don't specify + their own certificate, defaultCertificate is used. + + The secret must contain the following keys and data: + + tls.crt: certificate file contents + tls.key: key file contents + + If unset, a wildcard certificate is automatically generated and used. The + certificate is valid for the ingress controller domain (and subdomains) and + the generated certificate's CA will be automatically integrated with the + cluster's trust store. + + If a wildcard certificate is used and shared by multiple + HTTP/2 enabled routes (which implies ALPN) then clients + (i.e., notably browsers) are at liberty to reuse open + connections. This means a client can reuse a connection to + another route and that is likely to fail. This behaviour is + generally known as connection coalescing. + + The in-use certificate (whether generated or user-specified) will be + automatically integrated with OpenShift's built-in OAuth server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + domain: + description: |- + domain is a DNS name serviced by the ingress controller and is used to + configure multiple features: + + * For the LoadBalancerService endpoint publishing strategy, domain is + used to configure DNS records. See endpointPublishingStrategy. + + * When using a generated default certificate, the certificate will be valid + for domain and its subdomains. See defaultCertificate. + + * The value is published to individual Route statuses so that end-users + know where to target external DNS records. + + domain must be unique among all IngressControllers, and cannot be + updated. + + If empty, defaults to ingress.config.openshift.io/cluster .spec.domain. + + The domain value must be a valid DNS name. It must consist of lowercase + alphanumeric characters, '-' or '.', and each label must start and end + with an alphanumeric character and not exceed 63 characters. Maximum + length of a valid DNS domain is 253 characters. + + The implementation may add a prefix such as "router-default." to the domain + when constructing the router canonical hostname. To ensure the resulting + hostname does not exceed the DNS maximum length of 253 characters, + the domain length is additionally validated at the IngressController object + level. For the maximum length of the domain value itself, the shortest + possible variant of the prefix and the ingress controller name was considered + for example "router-a." + maxLength: 244 + type: string + x-kubernetes-validations: + - message: domain must consist of lower case alphanumeric characters, + '-' or '.', and must start and end with an alphanumeric character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + - message: each DNS label must not exceed 63 characters + rule: self.split('.').all(label, size(label) <= 63) + endpointPublishingStrategy: + description: |- + endpointPublishingStrategy is used to publish the ingress controller + endpoints to other networks, enable load balancer integrations, etc. + + If unset, the default is based on + infrastructure.config.openshift.io/cluster .status.platform: + + AWS: LoadBalancerService (with External scope) + Azure: LoadBalancerService (with External scope) + GCP: LoadBalancerService (with External scope) + IBMCloud: LoadBalancerService (with External scope) + AlibabaCloud: LoadBalancerService (with External scope) + Libvirt: HostNetwork + + Any other platform types (including None) default to HostNetwork. + + endpointPublishingStrategy cannot be updated. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + httpCompression: + description: |- + httpCompression defines a policy for HTTP traffic compression. + By default, there is no HTTP compression. + properties: + mimeTypes: + description: |- + mimeTypes is a list of MIME types that should have compression applied. + This list can be empty, in which case the ingress controller does not apply compression. + + Note: Not all MIME types benefit from compression, but HAProxy will still use resources + to try to compress if instructed to. Generally speaking, text (html, css, js, etc.) + formats benefit from compression, but formats that are already compressed (image, + audio, video, etc.) benefit little in exchange for the time and cpu spent on compressing + again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2 + items: + description: |- + CompressionMIMEType defines the format of a single MIME type. + E.g. "text/css; charset=utf-8", "text/html", "text/*", "image/svg+xml", + "application/octet-stream", "X-custom/customsub", etc. + + The format should follow the Content-Type definition in RFC 1341: + Content-Type := type "/" subtype *[";" parameter] + - The type in Content-Type can be one of: + application, audio, image, message, multipart, text, video, or a custom + type preceded by "X-" and followed by a token as defined below. + - The token is a string of at least one character, and not containing white + space, control characters, or any of the characters in the tspecials set. + - The tspecials set contains the characters ()<>@,;:\"/[]?.= + - The subtype in Content-Type is also a token. + - The optional parameter/s following the subtype are defined as: + token "=" (token / quoted-string) + - The quoted-string, as defined in RFC 822, is surrounded by double quotes + and can contain white space plus any character EXCEPT \, ", and CR. + It can also contain any single ASCII character as long as it is escaped by \. + pattern: ^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$ + type: string + type: array + x-kubernetes-list-type: set + type: object + httpEmptyRequestsPolicy: + default: Respond + description: |- + httpEmptyRequestsPolicy describes how HTTP connections should be + handled if the connection times out before a request is received. + Allowed values for this field are "Respond" and "Ignore". If the + field is set to "Respond", the ingress controller sends an HTTP 400 + or 408 response, logs the connection (if access logging is enabled), + and counts the connection in the appropriate metrics. If the field + is set to "Ignore", the ingress controller closes the connection + without sending a response, logging the connection, or incrementing + metrics. The default value is "Respond". + + Typically, these connections come from load balancers' health probes + or Web browsers' speculative connections ("preconnect") and can be + safely ignored. However, these requests may also be caused by + network errors, and so setting this field to "Ignore" may impede + detection and diagnosis of problems. In addition, these requests may + be caused by port scans, in which case logging empty requests may aid + in detecting intrusion attempts. + enum: + - Respond + - Ignore + type: string + httpErrorCodePages: + description: |- + httpErrorCodePages specifies a configmap with custom error pages. + The administrator must create this configmap in the openshift-config namespace. + This configmap should have keys in the format "error-page-.http", + where is an HTTP error code. + For example, "error-page-503.http" defines an error page for HTTP 503 responses. + Currently only error pages for 503 and 404 responses can be customized. + Each value in the configmap should be the full response, including HTTP headers. + Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http + If this field is empty, the ingress controller uses the default error pages. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + httpHeaders: + description: |- + httpHeaders defines policy for HTTP headers. + + If this field is empty, the default values are used. + properties: + actions: + description: |- + actions specifies options for modifying headers and their values. + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be modified for TLS passthrough + connections. + Setting the HSTS (`Strict-Transport-Security`) header is not supported via actions. `Strict-Transport-Security` + may only be configured using the "haproxy.router.openshift.io/hsts_header" route annotation, and only in + accordance with the policy specified in Ingress.Spec.RequiredHSTSPolicies. + Any actions defined here are applied after any actions related to the following other fields: + cache-control, spec.clientTLS, + spec.httpHeaders.forwardedHeaderPolicy, spec.httpHeaders.uniqueId, + and spec.httpHeaders.headerNameCaseAdjustments. + In case of HTTP request headers, the actions specified in spec.httpHeaders.actions on the Route will be executed after + the actions specified in the IngressController's spec.httpHeaders.actions field. + In case of HTTP response headers, the actions specified in spec.httpHeaders.actions on the IngressController will be + executed after the actions specified in the Route's spec.httpHeaders.actions field. + Headers set using this API cannot be captured for use in access logs. + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. Please refer to the documentation + for that API field for more details. + properties: + request: + description: |- + request is a list of HTTP request headers to modify. + Actions defined here will modify the request headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for request headers will be executed before Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 request header actions may be configured. + Sample fetchers allowed are "req.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[req.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are req.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:req\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + response: + description: |- + response is a list of HTTP response headers to modify. + Actions defined here will modify the response headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for response headers will be executed after Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 response header actions may be configured. + Sample fetchers allowed are "res.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[res.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are res.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:res\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + type: object + forwardedHeaderPolicy: + description: |- + forwardedHeaderPolicy specifies when and how the IngressController + sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, + X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version + HTTP headers. The value may be one of the following: + + * "Append", which specifies that the IngressController appends the + headers, preserving existing headers. + + * "Replace", which specifies that the IngressController sets the + headers, replacing any existing Forwarded or X-Forwarded-* headers. + + * "IfNone", which specifies that the IngressController sets the + headers if they are not already set. + + * "Never", which specifies that the IngressController never sets the + headers, preserving any existing headers. + + By default, the policy is "Append". + enum: + - Append + - Replace + - IfNone + - Never + type: string + headerNameCaseAdjustments: + description: |- + headerNameCaseAdjustments specifies case adjustments that can be + applied to HTTP header names. Each adjustment is specified as an + HTTP header name with the desired capitalization. For example, + specifying "X-Forwarded-For" indicates that the "x-forwarded-for" + HTTP header should be adjusted to have the specified capitalization. + + These adjustments are only applied to cleartext, edge-terminated, and + re-encrypt routes, and only when using HTTP/1. + + For request headers, these adjustments are applied only for routes + that have the haproxy.router.openshift.io/h1-adjust-case=true + annotation. For response headers, these adjustments are applied to + all HTTP responses. + + If this field is empty, no request headers are adjusted. + items: + description: |- + IngressControllerHTTPHeaderNameCaseAdjustment is the name of an HTTP header + (for example, "X-Forwarded-For") in the desired capitalization. The value + must be a valid HTTP header name as defined in RFC 2616 section 4.2. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + uniqueId: + description: |- + uniqueId describes configuration for a custom HTTP header that the + ingress controller should inject into incoming HTTP requests. + Typically, this header is configured to have a value that is unique + to the HTTP request. The header can be used by applications or + included in access logs to facilitate tracing individual HTTP + requests. + + If this field is empty, no such header is injected into requests. + properties: + format: + description: |- + format specifies the format for the injected HTTP header's value. + This field has no effect unless name is specified. For the + HAProxy-based ingress controller implementation, this format uses the + same syntax as the HTTP log format. If the field is empty, the + default value is "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid"; see the + corresponding HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + maxLength: 1024 + minLength: 0 + pattern: ^(%(%|(\{[-+]?[QXE](,[-+]?[QXE])*\})?([A-Za-z]+|\[[.0-9A-Z_a-z]+(\([^)]+\))?(,[.0-9A-Z_a-z]+(\([^)]+\))?)*\]))|[^%[:cntrl:]])*$ + type: string + name: + description: |- + name specifies the name of the HTTP header (for example, "unique-id") + that the ingress controller should inject into HTTP requests. The + field's value must be a valid HTTP header name as defined in RFC 2616 + section 4.2. If the field is empty, no header is injected. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + type: object + type: object + idleConnectionTerminationPolicy: + default: Immediate + description: |- + idleConnectionTerminationPolicy maps directly to HAProxy's + idle-close-on-response option and controls whether HAProxy + keeps idle frontend connections open during a soft stop + (router reload). + + Allowed values for this field are "Immediate" and + "Deferred". The default value is "Immediate". + + When set to "Immediate", idle connections are closed + immediately during router reloads. This ensures immediate + propagation of route changes but may impact clients + sensitive to connection resets. + + When set to "Deferred", HAProxy will maintain idle + connections during a soft reload instead of closing them + immediately. These connections remain open until any of the + following occurs: + + - A new request is received on the connection, in which + case HAProxy handles it in the old process and closes + the connection after sending the response. + + - HAProxy's `timeout http-keep-alive` duration expires. + By default this is 300 seconds, but it can be changed + using httpKeepAliveTimeout tuning option. + + - The client's keep-alive timeout expires, causing the + client to close the connection. + + Setting Deferred can help prevent errors in clients or load + balancers that do not properly handle connection resets. + Additionally, this option allows you to retain the pre-2.4 + HAProxy behaviour: in HAProxy version 2.2 (OpenShift + versions < 4.14), maintaining idle connections during a + soft reload was the default behaviour, but starting with + HAProxy 2.4, the default changed to closing idle + connections immediately. + + Important Consideration: + + - Using Deferred will result in temporary inconsistencies + for the first request on each persistent connection + after a route update and router reload. This request + will be processed by the old HAProxy process using its + old configuration. Subsequent requests will use the + updated configuration. + + Operational Considerations: + + - Keeping idle connections open during reloads may lead + to an accumulation of old HAProxy processes if + connections remain idle for extended periods, + especially in environments where frequent reloads + occur. + + - Consider monitoring the number of HAProxy processes in + the router pods when Deferred is set. + + - You may need to enable or adjust the + `ingress.operator.openshift.io/hard-stop-after` + duration (configured via an annotation on the + IngressController resource) in environments with + frequent reloads to prevent resource exhaustion. + enum: + - Immediate + - Deferred + type: string + logging: + description: |- + logging defines parameters for what should be logged where. If this + field is empty, operational logs are enabled but access logs are + disabled. + properties: + access: + description: |- + access describes how the client requests should be logged. + + If this field is empty, access logging is disabled. + properties: + destination: + description: destination is where access logs go. + properties: + container: + description: |- + container holds parameters for the Container logging destination. + Present only if type is Container. + properties: + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 8192, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 8192 + minimum: 480 + type: integer + type: object + syslog: + description: |- + syslog holds parameters for a syslog endpoint. Present only if + type is Syslog. + oneOf: + - properties: + address: + format: ipv4 + - properties: + address: + format: ipv6 + properties: + address: + description: |- + address is the IP address of the syslog endpoint that receives log + messages. + type: string + facility: + description: |- + facility specifies the syslog facility of log messages. + + If this field is empty, the facility is "local1". + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + type: string + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 4096, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 4096 + minimum: 480 + type: integer + port: + description: |- + port is the UDP port number of the syslog endpoint that receives log + messages. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: + description: |- + type is the type of destination for logs. It must be one of the + following: + + * Container + + The ingress operator configures the sidecar container named "logs" on + the ingress controller pod and configures the ingress controller to + write logs to the sidecar. The logs are then available as container + logs. The expectation is that the administrator configures a custom + logging solution that reads logs from this sidecar. Note that using + container logs means that logs may be dropped if the rate of logs + exceeds the container runtime's or the custom logging solution's + capacity. + + * Syslog + + Logs are sent to a syslog endpoint. The administrator must specify + an endpoint that can receive syslog messages. The expectation is + that the administrator has configured a custom syslog instance. + enum: + - Container + - Syslog + type: string + required: + - type + type: object + httpCaptureCookies: + description: |- + httpCaptureCookies specifies HTTP cookies that should be captured in + access logs. If this field is empty, no cookies are captured. + items: + description: |- + IngressControllerCaptureHTTPCookie describes an HTTP cookie that should be + captured. + properties: + matchType: + description: |- + matchType specifies the type of match to be performed on the cookie + name. Allowed values are "Exact" for an exact string match and + "Prefix" for a string prefix match. If "Exact" is specified, a name + must be specified in the name field. If "Prefix" is provided, a + prefix must be specified in the namePrefix field. For example, + specifying matchType "Prefix" and namePrefix "foo" will capture a + cookie named "foo" or "foobar" but not one named "bar". The first + matching cookie is captured. + enum: + - Exact + - Prefix + type: string + maxLength: + description: |- + maxLength specifies a maximum length of the string that will be + logged, which includes the cookie name, cookie value, and + one-character delimiter. If the log entry exceeds this length, the + value will be truncated in the log message. Note that the ingress + controller may impose a separate bound on the total length of HTTP + headers in a request. + maximum: 1024 + minimum: 1 + type: integer + name: + description: |- + name specifies a cookie name. Its value must be a valid HTTP cookie + name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + namePrefix: + description: |- + namePrefix specifies a cookie name prefix. Its value must be a valid + HTTP cookie name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + required: + - matchType + - maxLength + type: object + maxItems: 1 + nullable: true + type: array + x-kubernetes-list-type: atomic + httpCaptureHeaders: + description: |- + httpCaptureHeaders defines HTTP headers that should be captured in + access logs. If this field is empty, no headers are captured. + + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be captured for TLS passthrough + connections. + properties: + request: + description: |- + request specifies which HTTP request headers to capture. + + If this field is empty, no request headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + response: + description: |- + response specifies which HTTP response headers to capture. + + If this field is empty, no response headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + type: object + httpLogFormat: + description: |- + httpLogFormat specifies the format of the log message for an HTTP + request. + + If this field is empty, log messages use the implementation's default + HTTP log format. For HAProxy's default HTTP log format, see the + HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + + Note that this format only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). It does not affect the log format for TLS passthrough + connections. + type: string + logEmptyRequests: + default: Log + description: |- + logEmptyRequests specifies how connections on which no request is + received should be logged. Typically, these empty requests come from + load balancers' health probes or Web browsers' speculative + connections ("preconnect"), in which case logging these requests may + be undesirable. However, these requests may also be caused by + network errors, in which case logging empty requests may be useful + for diagnosing the errors. In addition, these requests may be caused + by port scans, in which case logging empty requests may aid in + detecting intrusion attempts. Allowed values for this field are + "Log" and "Ignore". The default value is "Log". + enum: + - Log + - Ignore + type: string + required: + - destination + type: object + type: object + namespaceSelector: + description: |- + namespaceSelector is used to filter the set of namespaces serviced by the + ingress controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nodePlacement: + description: |- + nodePlacement enables explicit control over the scheduling of the ingress + controller. + + If unset, defaults are used. See NodePlacement for more details. + properties: + nodeSelector: + description: |- + nodeSelector is the node selector applied to ingress controller + deployments. + + If set, the specified selector is used and replaces the default. + + If unset, the default depends on the value of the defaultPlacement + field in the cluster config.openshift.io/v1/ingresses status. + + When defaultPlacement is Workers, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/worker: '' + + When defaultPlacement is ControlPlane, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/master: '' + + These defaults are subject to change. + + Note that using nodeSelector.matchExpressions is not supported. Only + nodeSelector.matchLabels may be used. This is a limitation of the + Kubernetes API: the pod spec does not allow complex expressions for + node selectors. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tolerations: + description: |- + tolerations is a list of tolerations applied to ingress controller + deployments. + + The default is an empty list. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + replicas: + description: |- + replicas is the desired number of ingress controller replicas. If unset, + the default depends on the value of the defaultPlacement field in the + cluster config.openshift.io/v1/ingresses status. + + The value of replicas is set based on the value of a chosen field in the + Infrastructure CR. If defaultPlacement is set to ControlPlane, the + chosen field will be controlPlaneTopology. If it is set to Workers the + chosen field will be infrastructureTopology. Replicas will then be set to 1 + or 2 based whether the chosen field's value is SingleReplica or + HighlyAvailable, respectively. + + These defaults are subject to change. + format: int32 + type: integer + routeAdmission: + description: |- + routeAdmission defines a policy for handling new route claims (for example, + to allow or deny claims across namespaces). + + If empty, defaults will be applied. See specific routeAdmission fields + for details about their defaults. + properties: + namespaceOwnership: + description: |- + namespaceOwnership describes how host name claims across namespaces should + be handled. + + Value must be one of: + + - Strict: Do not allow routes in different namespaces to claim the same host. + + - InterNamespaceAllowed: Allow routes to claim different paths of the same + host name across namespaces. + + If empty, the default is Strict. + enum: + - InterNamespaceAllowed + - Strict + type: string + wildcardPolicy: + description: |- + wildcardPolicy describes how routes with wildcard policies should + be handled for the ingress controller. WildcardPolicy controls use + of routes [1] exposed by the ingress controller based on the route's + wildcard policy. + + [1] https://github.com/openshift/api/blob/master/route/v1/types.go + + Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed + will cause admitted routes with a wildcard policy of Subdomain to stop + working. These routes must be updated to a wildcard policy of None to be + readmitted by the ingress controller. + + WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values. + + If empty, defaults to "WildcardsDisallowed". + enum: + - WildcardsAllowed + - WildcardsDisallowed + type: string + type: object + routeSelector: + description: |- + routeSelector is used to filter the set of Routes serviced by the ingress + controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. + + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + + Note that when using the Old, Intermediate, and Modern profile types, the effective + profile configuration is subject to change between releases. For example, given + a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade + to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress + controller, resulting in a rollout. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + + ciphers: + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tuningOptions: + anyOf: + - properties: + maxConnections: + enum: + - -1 + - 0 + - properties: + maxConnections: + format: int32 + maximum: 2000000 + minimum: 2000 + description: |- + tuningOptions defines parameters for adjusting the performance of + ingress controller pods. All fields are optional and will use their + respective defaults if not set. See specific tuningOptions fields for + more details. + + Setting fields within tuningOptions is generally not recommended. The + default values are suitable for most configurations. + properties: + clientFinTimeout: + description: |- + clientFinTimeout defines how long a connection will be held open while + waiting for the client response to the server/backend closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + clientTimeout: + description: |- + clientTimeout defines how long a connection will be held open while + waiting for a client response. + + If unset, the default timeout is 30s + format: duration + type: string + configurationManagement: + description: |- + configurationManagement specifies how OpenShift router should update + the HAProxy configuration. The following values are valid for this + field: + + * "ForkAndReload". + * "Dynamic". + + Omitting this field means that the user has no opinion and the + platform may choose a reasonable default. This default is subject to + change over time. The current default is "ForkAndReload". + + "ForkAndReload" means that OpenShift router should rewrite the + HAProxy configuration file and instruct HAProxy to fork and reload. + This is OpenShift router's traditional approach. + + "Dynamic" means that OpenShift router may use HAProxy's control + socket for some configuration updates and fall back to fork and + reload for other configuration updates. This is a newer approach, + which may be less mature than ForkAndReload. This setting can + improve load-balancing fairness and metrics accuracy and reduce CPU + and memory usage if HAProxy has frequent configuration updates for + route and endpoints updates. + + Note: The "Dynamic" option is currently experimental and should not + be enabled on production clusters. + enum: + - Dynamic + - ForkAndReload + type: string + connectTimeout: + description: |- + connectTimeout defines the maximum time to wait for + a connection attempt to a server/backend to succeed. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 5s. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + headerBufferBytes: + description: |- + headerBufferBytes describes how much memory should be reserved + (in bytes) for IngressController connection sessions. + Note that this value must be at least 16384 if HTTP/2 is + enabled for the IngressController (https://tools.ietf.org/html/rfc7540). + If this field is empty, the IngressController will use a default value + of 32768 bytes. + + Setting this field is generally not recommended as headerBufferBytes + values that are too small may break the IngressController and + headerBufferBytes values that are too large could cause the + IngressController to use significantly more memory than necessary. + format: int32 + minimum: 16384 + type: integer + headerBufferMaxRewriteBytes: + description: |- + headerBufferMaxRewriteBytes describes how much memory should be reserved + (in bytes) from headerBufferBytes for HTTP header rewriting + and appending for IngressController connection sessions. + Note that incoming HTTP requests will be limited to + (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning + headerBufferBytes must be greater than headerBufferMaxRewriteBytes. + If this field is empty, the IngressController will use a default value + of 8192 bytes. + + Setting this field is generally not recommended as + headerBufferMaxRewriteBytes values that are too small may break the + IngressController and headerBufferMaxRewriteBytes values that are too + large could cause the IngressController to use significantly more memory + than necessary. + format: int32 + minimum: 4096 + type: integer + healthCheckInterval: + description: |- + healthCheckInterval defines how long the router waits between two consecutive + health checks on its configured backends. This value is applied globally as + a default for all routes, but may be overridden per-route by the route annotation + "router.openshift.io/haproxy.health.check.interval". + + Expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, eg "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Setting this to less than 5s can cause excess traffic due to too frequent + TCP health checks and accompanying SYN packet storms. Alternatively, setting + this too high can result in increased latency, due to backend servers that are no + longer available, but haven't yet been detected as such. + + An empty or zero healthCheckInterval means no opinion and IngressController chooses + a default, which is subject to change over time. + Currently the default healthCheckInterval value is 5s. + + Currently the minimum allowed value is 1s and the maximum allowed value is + 2147483647ms (24.85 days). Both are subject to change over time. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + httpKeepAliveTimeout: + description: |- + httpKeepAliveTimeout defines the maximum allowed time to wait for + a new HTTP request to appear on a connection from the client to the router. + + This field expects an unsigned duration string of a decimal number, with optional + fraction and a unit suffix, e.g. "300ms", "1.5s" or "2m45s". + Valid time units are "ms", "s", "m". + The allowed range is from 1 millisecond to 15 minutes. + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 300s. + + Low values (tens of milliseconds or less) can cause clients to close and reopen connections + for each request, leading to reduced connection sharing. + For HTTP/2, special care should be taken with low values. + A few seconds is a reasonable starting point to avoid holding idle connections open + while still allowing subsequent requests to reuse the connection. + + High values (minutes or more) favor connection reuse but may cause idle + connections to linger longer. + maxLength: 16 + minLength: 1 + type: string + x-kubernetes-validations: + - message: httpKeepAliveTimeout must be a valid duration string + composed of an unsigned integer value, optionally followed + by a decimal fraction and a unit suffix (ms, s, m) + rule: self.matches('^([0-9]+(\\.[0-9]+)?(ms|s|m))+$') + - message: httpKeepAliveTimeout must be less than or equal to + 15 minutes + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) <= duration(''15m'')' + - message: httpKeepAliveTimeout must be greater than or equal + to 1 millisecond + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) >= duration(''1ms'')' + maxConnections: + description: |- + maxConnections defines the maximum number of simultaneous + connections that can be established per HAProxy process. + Increasing this value allows each ingress controller pod to + handle more connections but at the cost of additional + system resources being consumed. + + Permitted values are: empty, 0, -1, and the range + 2000-2000000. + + If this field is empty or 0, the IngressController will use + the default value of 50000, but the default is subject to + change in future releases. + + If the value is -1 then HAProxy will dynamically compute a + maximum value based on the available ulimits in the running + container. Selecting -1 (i.e., auto) will result in a large + value being computed (~520000 on OpenShift >=4.10 clusters) + and therefore each HAProxy process will incur significant + memory usage compared to the current default of 50000. + + Setting a value that is greater than the current operating + system limit will prevent the HAProxy process from + starting. + + If you choose a discrete value (e.g., 750000) and the + router pod is migrated to a new node, there's no guarantee + that that new node has identical ulimits configured. In + such a scenario the pod would fail to start. If you have + nodes with different ulimits configured (e.g., different + tuned profiles) and you choose a discrete value then the + guidance is to use -1 and let the value be computed + dynamically at runtime. + + You can monitor memory usage for router containers with the + following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}'. + + You can monitor memory usage of individual HAProxy + processes in router containers with the following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}/container_processes{container="router",namespace="openshift-ingress"}'. + format: int32 + type: integer + reloadInterval: + description: |- + reloadInterval defines the minimum interval at which the router is allowed to reload + to accept new changes. Increasing this value can prevent the accumulation of + HAProxy processes, depending on the scenario. Increasing this interval can + also lessen load imbalance on a backend's servers when using the roundrobin + balancing algorithm. Alternatively, decreasing this value may decrease latency + since updates to HAProxy's configuration can take effect more quickly. + + The value must be a time duration value; see . + Currently, the minimum value allowed is 1s, and the maximum allowed value is + 120s. Minimum and maximum allowed values may change in future versions of OpenShift. + Note that if a duration outside of these bounds is provided, the value of reloadInterval + will be capped/floored and not rejected (e.g. a duration of over 120s will be capped to + 120s; the IngressController will not reject and replace this disallowed value with + the default). + + A zero value for reloadInterval tells the IngressController to choose the default, + which is currently 5s and subject to change without notice. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Note: Setting a value significantly larger than the default of 5s can cause latency + in observing updates to routes and their endpoints. HAProxy's configuration will + be reloaded less frequently, and newly created routes will not be served until the + subsequent reload. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + serverFinTimeout: + description: |- + serverFinTimeout defines how long a connection will be held open while + waiting for the server/backend response to the client closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + serverTimeout: + description: |- + serverTimeout defines how long a connection will be held open while + waiting for a server/backend response. + + If unset, the default timeout is 30s + format: duration + type: string + threadCount: + description: |- + threadCount defines the number of threads created per HAProxy process. + Creating more threads allows each ingress controller pod to handle more + connections, at the cost of more system resources being used. HAProxy + currently supports up to 64 threads. If this field is empty, the + IngressController will use the default value. The current default is 4 + threads, but this may change in future releases. + + Setting this field is generally not recommended. Increasing the number + of HAProxy threads allows ingress controller pods to utilize more CPU + time under load, potentially starving other pods if set too high. + Reducing the number of threads may cause the ingress controller to + perform poorly. + format: int32 + maximum: 64 + minimum: 1 + type: integer + tlsInspectDelay: + description: |- + tlsInspectDelay defines how long the router can hold data to find a + matching route. + + Setting this too short can cause the router to fall back to the default + certificate for edge-terminated or reencrypt routes even when a better + matching certificate could be used. + + If unset, the default inspect delay is 5s + format: duration + type: string + tunnelTimeout: + description: |- + tunnelTimeout defines how long a tunnel connection (including + websockets) will be held open while the tunnel is idle. + + If unset, the default timeout is 1h + format: duration + type: string + type: object + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides allows specifying unsupported + configuration options. Its use is unsupported. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the IngressController. + properties: + availableReplicas: + description: |- + availableReplicas is number of observed available replicas according to the + ingress controller deployment. + format: int32 + type: integer + conditions: + description: |- + conditions is a list of conditions and their status. + + Available means the ingress controller deployment is available and + servicing route and ingress resources (i.e, .status.availableReplicas + equals .spec.replicas) + + There are additional conditions which indicate the status of other + ingress controller features and capabilities. + + * LoadBalancerManaged + - True if the following conditions are met: + * The endpoint publishing strategy requires a service load balancer. + - False if any of those conditions are unsatisfied. + + * LoadBalancerReady + - True if the following conditions are met: + * A load balancer is managed. + * The load balancer is ready. + - False if any of those conditions are unsatisfied. + + * DNSManaged + - True if the following conditions are met: + * The endpoint publishing strategy and platform support DNS. + * The ingress controller domain is set. + * dns.config.openshift.io/cluster configures DNS zones. + - False if any of those conditions are unsatisfied. + + * DNSReady + - True if the following conditions are met: + * DNS is managed. + * DNS records have been successfully created. + - False if any of those conditions are unsatisfied. + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + domain: + description: domain is the actual domain in use. + type: string + endpointPublishingStrategy: + description: endpointPublishingStrategy is the actual strategy in + use. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + namespaceSelector: + description: namespaceSelector is the actual namespaceSelector in + use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + observedGeneration: + description: observedGeneration is the most recent generation observed. + format: int64 + type: integer + routeSelector: + description: routeSelector is the actual routeSelector in use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: |- + selector is a label selector, in string format, for ingress controller pods + corresponding to the IngressController. The number of matching pods should + equal the value of availableReplicas. + type: string + tlsProfile: + description: tlsProfile is the TLS connection configuration that is + in effect. + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + + ciphers: + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: The combined 'router-' + metadata.name + '.' + .spec.domain cannot + exceed 253 characters + rule: '!has(self.spec.domain) || size(''router-'' + self.metadata.name + + ''.'' + self.spec.domain) <= 253' + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.selector + specReplicasPath: .spec.replicas + statusReplicasPath: .status.availableReplicas + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml rename to vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml index 00d20d54f9..535ddf0bc8 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml @@ -7,6 +7,7 @@ metadata: capability.openshift.io/name: Ingress include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD name: ingresscontrollers.operator.openshift.io spec: group: operator.openshift.io diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..2fbc3cd4e3 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,3317 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/616 + api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Ingress + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: ingresscontrollers.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: IngressController + listKind: IngressControllerList + plural: ingresscontrollers + singular: ingresscontroller + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + IngressController describes a managed ingress controller for the cluster. The + controller can service OpenShift Route and Kubernetes Ingress resources. + + When an IngressController is created, a new ingress controller deployment is + created to allow external traffic to reach the services that expose Ingress + or Route resources. Updating this resource may lead to disruption for public + facing network connections as a new ingress controller revision may be rolled + out. + + https://kubernetes.io/docs/concepts/services-networking/ingress-controllers + + Whenever possible, sensible defaults for the platform are used. See each + field for more details. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + IngressController. + properties: + clientTLS: + description: |- + clientTLS specifies settings for requesting and verifying client + certificates, which can be used to enable mutual TLS for + edge-terminated and reencrypt routes. + properties: + allowedSubjectPatterns: + description: |- + allowedSubjectPatterns specifies a list of regular expressions that + should be matched against the distinguished name on a valid client + certificate to filter requests. The regular expressions must use + PCRE syntax. If this list is empty, no filtering is performed. If + the list is nonempty, then at least one pattern must match a client + certificate's distinguished name or else the ingress controller + rejects the certificate and denies the connection. + items: + type: string + type: array + x-kubernetes-list-type: atomic + clientCA: + description: |- + clientCA specifies a configmap containing the PEM-encoded CA + certificate bundle that should be used to verify a client's + certificate. The administrator must create this configmap in the + openshift-config namespace. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + clientCertificatePolicy: + description: |- + clientCertificatePolicy specifies whether the ingress controller + requires clients to provide certificates. This field accepts the + values "Required" or "Optional". + + Note that the ingress controller only checks client certificates for + edge-terminated and reencrypt TLS routes; it cannot check + certificates for cleartext HTTP or passthrough TLS routes. + enum: + - "" + - Required + - Optional + type: string + required: + - clientCA + - clientCertificatePolicy + type: object + closedClientConnectionPolicy: + default: Continue + description: |- + closedClientConnectionPolicy controls how the IngressController + behaves when the client closes the TCP connection while the TLS + handshake or HTTP request is in progress. This option maps directly + to HAProxy’s "abortonclose" option. + + Valid values are: "Abort" and "Continue". + The default value is "Continue". + + When set to "Abort", the router will stop processing the TLS handshake + if it is in progress, and it will not send an HTTP request to the backend server + if the request has not yet been sent when the client closes the connection. + + When set to "Continue", the router will complete the TLS handshake + if it is in progress, or send an HTTP request to the backend server + and wait for the backend server's response, regardless of + whether the client has closed the connection. + + Setting "Abort" can help free CPU resources otherwise spent on TLS computation + for connections the client has already closed, and can reduce request queue + size, thereby reducing the load on saturated backend servers. + + Important Considerations: + + - The default policy ("Continue") is HTTP-compliant, and requests + for aborted client connections will still be served. + Use the "Continue" policy to allow a client to send a request + and then immediately close its side of the connection while + still receiving a response on the half-closed connection. + + - When clients use keep-alive connections, the most common case for premature + closure is when the user wants to cancel the transfer or when a timeout + occurs. In that case, the "Abort" policy may be used to reduce resource consumption. + + - Using RSA keys larger than 2048 bits can significantly slow down + TLS computations. Consider using the "Abort" policy to reduce CPU usage. + enum: + - Abort + - Continue + type: string + defaultCertificate: + description: |- + defaultCertificate is a reference to a secret containing the default + certificate served by the ingress controller. When Routes don't specify + their own certificate, defaultCertificate is used. + + The secret must contain the following keys and data: + + tls.crt: certificate file contents + tls.key: key file contents + + If unset, a wildcard certificate is automatically generated and used. The + certificate is valid for the ingress controller domain (and subdomains) and + the generated certificate's CA will be automatically integrated with the + cluster's trust store. + + If a wildcard certificate is used and shared by multiple + HTTP/2 enabled routes (which implies ALPN) then clients + (i.e., notably browsers) are at liberty to reuse open + connections. This means a client can reuse a connection to + another route and that is likely to fail. This behaviour is + generally known as connection coalescing. + + The in-use certificate (whether generated or user-specified) will be + automatically integrated with OpenShift's built-in OAuth server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + domain: + description: |- + domain is a DNS name serviced by the ingress controller and is used to + configure multiple features: + + * For the LoadBalancerService endpoint publishing strategy, domain is + used to configure DNS records. See endpointPublishingStrategy. + + * When using a generated default certificate, the certificate will be valid + for domain and its subdomains. See defaultCertificate. + + * The value is published to individual Route statuses so that end-users + know where to target external DNS records. + + domain must be unique among all IngressControllers, and cannot be + updated. + + If empty, defaults to ingress.config.openshift.io/cluster .spec.domain. + + The domain value must be a valid DNS name. It must consist of lowercase + alphanumeric characters, '-' or '.', and each label must start and end + with an alphanumeric character and not exceed 63 characters. Maximum + length of a valid DNS domain is 253 characters. + + The implementation may add a prefix such as "router-default." to the domain + when constructing the router canonical hostname. To ensure the resulting + hostname does not exceed the DNS maximum length of 253 characters, + the domain length is additionally validated at the IngressController object + level. For the maximum length of the domain value itself, the shortest + possible variant of the prefix and the ingress controller name was considered + for example "router-a." + maxLength: 244 + type: string + x-kubernetes-validations: + - message: domain must consist of lower case alphanumeric characters, + '-' or '.', and must start and end with an alphanumeric character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + - message: each DNS label must not exceed 63 characters + rule: self.split('.').all(label, size(label) <= 63) + endpointPublishingStrategy: + description: |- + endpointPublishingStrategy is used to publish the ingress controller + endpoints to other networks, enable load balancer integrations, etc. + + If unset, the default is based on + infrastructure.config.openshift.io/cluster .status.platform: + + AWS: LoadBalancerService (with External scope) + Azure: LoadBalancerService (with External scope) + GCP: LoadBalancerService (with External scope) + IBMCloud: LoadBalancerService (with External scope) + AlibabaCloud: LoadBalancerService (with External scope) + Libvirt: HostNetwork + + Any other platform types (including None) default to HostNetwork. + + endpointPublishingStrategy cannot be updated. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + httpCompression: + description: |- + httpCompression defines a policy for HTTP traffic compression. + By default, there is no HTTP compression. + properties: + mimeTypes: + description: |- + mimeTypes is a list of MIME types that should have compression applied. + This list can be empty, in which case the ingress controller does not apply compression. + + Note: Not all MIME types benefit from compression, but HAProxy will still use resources + to try to compress if instructed to. Generally speaking, text (html, css, js, etc.) + formats benefit from compression, but formats that are already compressed (image, + audio, video, etc.) benefit little in exchange for the time and cpu spent on compressing + again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2 + items: + description: |- + CompressionMIMEType defines the format of a single MIME type. + E.g. "text/css; charset=utf-8", "text/html", "text/*", "image/svg+xml", + "application/octet-stream", "X-custom/customsub", etc. + + The format should follow the Content-Type definition in RFC 1341: + Content-Type := type "/" subtype *[";" parameter] + - The type in Content-Type can be one of: + application, audio, image, message, multipart, text, video, or a custom + type preceded by "X-" and followed by a token as defined below. + - The token is a string of at least one character, and not containing white + space, control characters, or any of the characters in the tspecials set. + - The tspecials set contains the characters ()<>@,;:\"/[]?.= + - The subtype in Content-Type is also a token. + - The optional parameter/s following the subtype are defined as: + token "=" (token / quoted-string) + - The quoted-string, as defined in RFC 822, is surrounded by double quotes + and can contain white space plus any character EXCEPT \, ", and CR. + It can also contain any single ASCII character as long as it is escaped by \. + pattern: ^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$ + type: string + type: array + x-kubernetes-list-type: set + type: object + httpEmptyRequestsPolicy: + default: Respond + description: |- + httpEmptyRequestsPolicy describes how HTTP connections should be + handled if the connection times out before a request is received. + Allowed values for this field are "Respond" and "Ignore". If the + field is set to "Respond", the ingress controller sends an HTTP 400 + or 408 response, logs the connection (if access logging is enabled), + and counts the connection in the appropriate metrics. If the field + is set to "Ignore", the ingress controller closes the connection + without sending a response, logging the connection, or incrementing + metrics. The default value is "Respond". + + Typically, these connections come from load balancers' health probes + or Web browsers' speculative connections ("preconnect") and can be + safely ignored. However, these requests may also be caused by + network errors, and so setting this field to "Ignore" may impede + detection and diagnosis of problems. In addition, these requests may + be caused by port scans, in which case logging empty requests may aid + in detecting intrusion attempts. + enum: + - Respond + - Ignore + type: string + httpErrorCodePages: + description: |- + httpErrorCodePages specifies a configmap with custom error pages. + The administrator must create this configmap in the openshift-config namespace. + This configmap should have keys in the format "error-page-.http", + where is an HTTP error code. + For example, "error-page-503.http" defines an error page for HTTP 503 responses. + Currently only error pages for 503 and 404 responses can be customized. + Each value in the configmap should be the full response, including HTTP headers. + Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http + If this field is empty, the ingress controller uses the default error pages. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + httpHeaders: + description: |- + httpHeaders defines policy for HTTP headers. + + If this field is empty, the default values are used. + properties: + actions: + description: |- + actions specifies options for modifying headers and their values. + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be modified for TLS passthrough + connections. + Setting the HSTS (`Strict-Transport-Security`) header is not supported via actions. `Strict-Transport-Security` + may only be configured using the "haproxy.router.openshift.io/hsts_header" route annotation, and only in + accordance with the policy specified in Ingress.Spec.RequiredHSTSPolicies. + Any actions defined here are applied after any actions related to the following other fields: + cache-control, spec.clientTLS, + spec.httpHeaders.forwardedHeaderPolicy, spec.httpHeaders.uniqueId, + and spec.httpHeaders.headerNameCaseAdjustments. + In case of HTTP request headers, the actions specified in spec.httpHeaders.actions on the Route will be executed after + the actions specified in the IngressController's spec.httpHeaders.actions field. + In case of HTTP response headers, the actions specified in spec.httpHeaders.actions on the IngressController will be + executed after the actions specified in the Route's spec.httpHeaders.actions field. + Headers set using this API cannot be captured for use in access logs. + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. Please refer to the documentation + for that API field for more details. + properties: + request: + description: |- + request is a list of HTTP request headers to modify. + Actions defined here will modify the request headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for request headers will be executed before Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 request header actions may be configured. + Sample fetchers allowed are "req.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[req.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are req.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:req\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + response: + description: |- + response is a list of HTTP response headers to modify. + Actions defined here will modify the response headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for response headers will be executed after Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 response header actions may be configured. + Sample fetchers allowed are "res.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[res.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are res.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:res\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + type: object + forwardedHeaderPolicy: + description: |- + forwardedHeaderPolicy specifies when and how the IngressController + sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, + X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version + HTTP headers. The value may be one of the following: + + * "Append", which specifies that the IngressController appends the + headers, preserving existing headers. + + * "Replace", which specifies that the IngressController sets the + headers, replacing any existing Forwarded or X-Forwarded-* headers. + + * "IfNone", which specifies that the IngressController sets the + headers if they are not already set. + + * "Never", which specifies that the IngressController never sets the + headers, preserving any existing headers. + + By default, the policy is "Append". + enum: + - Append + - Replace + - IfNone + - Never + type: string + headerNameCaseAdjustments: + description: |- + headerNameCaseAdjustments specifies case adjustments that can be + applied to HTTP header names. Each adjustment is specified as an + HTTP header name with the desired capitalization. For example, + specifying "X-Forwarded-For" indicates that the "x-forwarded-for" + HTTP header should be adjusted to have the specified capitalization. + + These adjustments are only applied to cleartext, edge-terminated, and + re-encrypt routes, and only when using HTTP/1. + + For request headers, these adjustments are applied only for routes + that have the haproxy.router.openshift.io/h1-adjust-case=true + annotation. For response headers, these adjustments are applied to + all HTTP responses. + + If this field is empty, no request headers are adjusted. + items: + description: |- + IngressControllerHTTPHeaderNameCaseAdjustment is the name of an HTTP header + (for example, "X-Forwarded-For") in the desired capitalization. The value + must be a valid HTTP header name as defined in RFC 2616 section 4.2. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + uniqueId: + description: |- + uniqueId describes configuration for a custom HTTP header that the + ingress controller should inject into incoming HTTP requests. + Typically, this header is configured to have a value that is unique + to the HTTP request. The header can be used by applications or + included in access logs to facilitate tracing individual HTTP + requests. + + If this field is empty, no such header is injected into requests. + properties: + format: + description: |- + format specifies the format for the injected HTTP header's value. + This field has no effect unless name is specified. For the + HAProxy-based ingress controller implementation, this format uses the + same syntax as the HTTP log format. If the field is empty, the + default value is "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid"; see the + corresponding HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + maxLength: 1024 + minLength: 0 + pattern: ^(%(%|(\{[-+]?[QXE](,[-+]?[QXE])*\})?([A-Za-z]+|\[[.0-9A-Z_a-z]+(\([^)]+\))?(,[.0-9A-Z_a-z]+(\([^)]+\))?)*\]))|[^%[:cntrl:]])*$ + type: string + name: + description: |- + name specifies the name of the HTTP header (for example, "unique-id") + that the ingress controller should inject into HTTP requests. The + field's value must be a valid HTTP header name as defined in RFC 2616 + section 4.2. If the field is empty, no header is injected. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + type: object + type: object + idleConnectionTerminationPolicy: + default: Immediate + description: |- + idleConnectionTerminationPolicy maps directly to HAProxy's + idle-close-on-response option and controls whether HAProxy + keeps idle frontend connections open during a soft stop + (router reload). + + Allowed values for this field are "Immediate" and + "Deferred". The default value is "Immediate". + + When set to "Immediate", idle connections are closed + immediately during router reloads. This ensures immediate + propagation of route changes but may impact clients + sensitive to connection resets. + + When set to "Deferred", HAProxy will maintain idle + connections during a soft reload instead of closing them + immediately. These connections remain open until any of the + following occurs: + + - A new request is received on the connection, in which + case HAProxy handles it in the old process and closes + the connection after sending the response. + + - HAProxy's `timeout http-keep-alive` duration expires. + By default this is 300 seconds, but it can be changed + using httpKeepAliveTimeout tuning option. + + - The client's keep-alive timeout expires, causing the + client to close the connection. + + Setting Deferred can help prevent errors in clients or load + balancers that do not properly handle connection resets. + Additionally, this option allows you to retain the pre-2.4 + HAProxy behaviour: in HAProxy version 2.2 (OpenShift + versions < 4.14), maintaining idle connections during a + soft reload was the default behaviour, but starting with + HAProxy 2.4, the default changed to closing idle + connections immediately. + + Important Consideration: + + - Using Deferred will result in temporary inconsistencies + for the first request on each persistent connection + after a route update and router reload. This request + will be processed by the old HAProxy process using its + old configuration. Subsequent requests will use the + updated configuration. + + Operational Considerations: + + - Keeping idle connections open during reloads may lead + to an accumulation of old HAProxy processes if + connections remain idle for extended periods, + especially in environments where frequent reloads + occur. + + - Consider monitoring the number of HAProxy processes in + the router pods when Deferred is set. + + - You may need to enable or adjust the + `ingress.operator.openshift.io/hard-stop-after` + duration (configured via an annotation on the + IngressController resource) in environments with + frequent reloads to prevent resource exhaustion. + enum: + - Immediate + - Deferred + type: string + logging: + description: |- + logging defines parameters for what should be logged where. If this + field is empty, operational logs are enabled but access logs are + disabled. + properties: + access: + description: |- + access describes how the client requests should be logged. + + If this field is empty, access logging is disabled. + properties: + destination: + description: destination is where access logs go. + properties: + container: + description: |- + container holds parameters for the Container logging destination. + Present only if type is Container. + properties: + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 8192, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 8192 + minimum: 480 + type: integer + type: object + syslog: + description: |- + syslog holds parameters for a syslog endpoint. Present only if + type is Syslog. + oneOf: + - properties: + address: + format: ipv4 + - properties: + address: + format: ipv6 + properties: + address: + description: |- + address is the IP address of the syslog endpoint that receives log + messages. + type: string + facility: + description: |- + facility specifies the syslog facility of log messages. + + If this field is empty, the facility is "local1". + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + type: string + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 4096, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 4096 + minimum: 480 + type: integer + port: + description: |- + port is the UDP port number of the syslog endpoint that receives log + messages. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: + description: |- + type is the type of destination for logs. It must be one of the + following: + + * Container + + The ingress operator configures the sidecar container named "logs" on + the ingress controller pod and configures the ingress controller to + write logs to the sidecar. The logs are then available as container + logs. The expectation is that the administrator configures a custom + logging solution that reads logs from this sidecar. Note that using + container logs means that logs may be dropped if the rate of logs + exceeds the container runtime's or the custom logging solution's + capacity. + + * Syslog + + Logs are sent to a syslog endpoint. The administrator must specify + an endpoint that can receive syslog messages. The expectation is + that the administrator has configured a custom syslog instance. + enum: + - Container + - Syslog + type: string + required: + - type + type: object + httpCaptureCookies: + description: |- + httpCaptureCookies specifies HTTP cookies that should be captured in + access logs. If this field is empty, no cookies are captured. + items: + description: |- + IngressControllerCaptureHTTPCookie describes an HTTP cookie that should be + captured. + properties: + matchType: + description: |- + matchType specifies the type of match to be performed on the cookie + name. Allowed values are "Exact" for an exact string match and + "Prefix" for a string prefix match. If "Exact" is specified, a name + must be specified in the name field. If "Prefix" is provided, a + prefix must be specified in the namePrefix field. For example, + specifying matchType "Prefix" and namePrefix "foo" will capture a + cookie named "foo" or "foobar" but not one named "bar". The first + matching cookie is captured. + enum: + - Exact + - Prefix + type: string + maxLength: + description: |- + maxLength specifies a maximum length of the string that will be + logged, which includes the cookie name, cookie value, and + one-character delimiter. If the log entry exceeds this length, the + value will be truncated in the log message. Note that the ingress + controller may impose a separate bound on the total length of HTTP + headers in a request. + maximum: 1024 + minimum: 1 + type: integer + name: + description: |- + name specifies a cookie name. Its value must be a valid HTTP cookie + name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + namePrefix: + description: |- + namePrefix specifies a cookie name prefix. Its value must be a valid + HTTP cookie name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + required: + - matchType + - maxLength + type: object + maxItems: 1 + nullable: true + type: array + x-kubernetes-list-type: atomic + httpCaptureHeaders: + description: |- + httpCaptureHeaders defines HTTP headers that should be captured in + access logs. If this field is empty, no headers are captured. + + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be captured for TLS passthrough + connections. + properties: + request: + description: |- + request specifies which HTTP request headers to capture. + + If this field is empty, no request headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + response: + description: |- + response specifies which HTTP response headers to capture. + + If this field is empty, no response headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + type: object + httpLogFormat: + description: |- + httpLogFormat specifies the format of the log message for an HTTP + request. + + If this field is empty, log messages use the implementation's default + HTTP log format. For HAProxy's default HTTP log format, see the + HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + + Note that this format only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). It does not affect the log format for TLS passthrough + connections. + type: string + logEmptyRequests: + default: Log + description: |- + logEmptyRequests specifies how connections on which no request is + received should be logged. Typically, these empty requests come from + load balancers' health probes or Web browsers' speculative + connections ("preconnect"), in which case logging these requests may + be undesirable. However, these requests may also be caused by + network errors, in which case logging empty requests may be useful + for diagnosing the errors. In addition, these requests may be caused + by port scans, in which case logging empty requests may aid in + detecting intrusion attempts. Allowed values for this field are + "Log" and "Ignore". The default value is "Log". + enum: + - Log + - Ignore + type: string + required: + - destination + type: object + type: object + namespaceSelector: + description: |- + namespaceSelector is used to filter the set of namespaces serviced by the + ingress controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nodePlacement: + description: |- + nodePlacement enables explicit control over the scheduling of the ingress + controller. + + If unset, defaults are used. See NodePlacement for more details. + properties: + nodeSelector: + description: |- + nodeSelector is the node selector applied to ingress controller + deployments. + + If set, the specified selector is used and replaces the default. + + If unset, the default depends on the value of the defaultPlacement + field in the cluster config.openshift.io/v1/ingresses status. + + When defaultPlacement is Workers, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/worker: '' + + When defaultPlacement is ControlPlane, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/master: '' + + These defaults are subject to change. + + Note that using nodeSelector.matchExpressions is not supported. Only + nodeSelector.matchLabels may be used. This is a limitation of the + Kubernetes API: the pod spec does not allow complex expressions for + node selectors. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tolerations: + description: |- + tolerations is a list of tolerations applied to ingress controller + deployments. + + The default is an empty list. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + replicas: + description: |- + replicas is the desired number of ingress controller replicas. If unset, + the default depends on the value of the defaultPlacement field in the + cluster config.openshift.io/v1/ingresses status. + + The value of replicas is set based on the value of a chosen field in the + Infrastructure CR. If defaultPlacement is set to ControlPlane, the + chosen field will be controlPlaneTopology. If it is set to Workers the + chosen field will be infrastructureTopology. Replicas will then be set to 1 + or 2 based whether the chosen field's value is SingleReplica or + HighlyAvailable, respectively. + + These defaults are subject to change. + format: int32 + type: integer + routeAdmission: + description: |- + routeAdmission defines a policy for handling new route claims (for example, + to allow or deny claims across namespaces). + + If empty, defaults will be applied. See specific routeAdmission fields + for details about their defaults. + properties: + namespaceOwnership: + description: |- + namespaceOwnership describes how host name claims across namespaces should + be handled. + + Value must be one of: + + - Strict: Do not allow routes in different namespaces to claim the same host. + + - InterNamespaceAllowed: Allow routes to claim different paths of the same + host name across namespaces. + + If empty, the default is Strict. + enum: + - InterNamespaceAllowed + - Strict + type: string + wildcardPolicy: + description: |- + wildcardPolicy describes how routes with wildcard policies should + be handled for the ingress controller. WildcardPolicy controls use + of routes [1] exposed by the ingress controller based on the route's + wildcard policy. + + [1] https://github.com/openshift/api/blob/master/route/v1/types.go + + Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed + will cause admitted routes with a wildcard policy of Subdomain to stop + working. These routes must be updated to a wildcard policy of None to be + readmitted by the ingress controller. + + WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values. + + If empty, defaults to "WildcardsDisallowed". + enum: + - WildcardsAllowed + - WildcardsDisallowed + type: string + type: object + routeSelector: + description: |- + routeSelector is used to filter the set of Routes serviced by the ingress + controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. + + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + + Note that when using the Old, Intermediate, and Modern profile types, the effective + profile configuration is subject to change between releases. For example, given + a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade + to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress + controller, resulting in a rollout. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + + ciphers: + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tuningOptions: + anyOf: + - properties: + maxConnections: + enum: + - -1 + - 0 + - properties: + maxConnections: + format: int32 + maximum: 2000000 + minimum: 2000 + description: |- + tuningOptions defines parameters for adjusting the performance of + ingress controller pods. All fields are optional and will use their + respective defaults if not set. See specific tuningOptions fields for + more details. + + Setting fields within tuningOptions is generally not recommended. The + default values are suitable for most configurations. + properties: + clientFinTimeout: + description: |- + clientFinTimeout defines how long a connection will be held open while + waiting for the client response to the server/backend closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + clientTimeout: + description: |- + clientTimeout defines how long a connection will be held open while + waiting for a client response. + + If unset, the default timeout is 30s + format: duration + type: string + configurationManagement: + description: |- + configurationManagement specifies how OpenShift router should update + the HAProxy configuration. The following values are valid for this + field: + + * "ForkAndReload". + * "Dynamic". + + Omitting this field means that the user has no opinion and the + platform may choose a reasonable default. This default is subject to + change over time. The current default is "ForkAndReload". + + "ForkAndReload" means that OpenShift router should rewrite the + HAProxy configuration file and instruct HAProxy to fork and reload. + This is OpenShift router's traditional approach. + + "Dynamic" means that OpenShift router may use HAProxy's control + socket for some configuration updates and fall back to fork and + reload for other configuration updates. This is a newer approach, + which may be less mature than ForkAndReload. This setting can + improve load-balancing fairness and metrics accuracy and reduce CPU + and memory usage if HAProxy has frequent configuration updates for + route and endpoints updates. + + Note: The "Dynamic" option is currently experimental and should not + be enabled on production clusters. + enum: + - Dynamic + - ForkAndReload + type: string + connectTimeout: + description: |- + connectTimeout defines the maximum time to wait for + a connection attempt to a server/backend to succeed. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 5s. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + headerBufferBytes: + description: |- + headerBufferBytes describes how much memory should be reserved + (in bytes) for IngressController connection sessions. + Note that this value must be at least 16384 if HTTP/2 is + enabled for the IngressController (https://tools.ietf.org/html/rfc7540). + If this field is empty, the IngressController will use a default value + of 32768 bytes. + + Setting this field is generally not recommended as headerBufferBytes + values that are too small may break the IngressController and + headerBufferBytes values that are too large could cause the + IngressController to use significantly more memory than necessary. + format: int32 + minimum: 16384 + type: integer + headerBufferMaxRewriteBytes: + description: |- + headerBufferMaxRewriteBytes describes how much memory should be reserved + (in bytes) from headerBufferBytes for HTTP header rewriting + and appending for IngressController connection sessions. + Note that incoming HTTP requests will be limited to + (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning + headerBufferBytes must be greater than headerBufferMaxRewriteBytes. + If this field is empty, the IngressController will use a default value + of 8192 bytes. + + Setting this field is generally not recommended as + headerBufferMaxRewriteBytes values that are too small may break the + IngressController and headerBufferMaxRewriteBytes values that are too + large could cause the IngressController to use significantly more memory + than necessary. + format: int32 + minimum: 4096 + type: integer + healthCheckInterval: + description: |- + healthCheckInterval defines how long the router waits between two consecutive + health checks on its configured backends. This value is applied globally as + a default for all routes, but may be overridden per-route by the route annotation + "router.openshift.io/haproxy.health.check.interval". + + Expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, eg "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Setting this to less than 5s can cause excess traffic due to too frequent + TCP health checks and accompanying SYN packet storms. Alternatively, setting + this too high can result in increased latency, due to backend servers that are no + longer available, but haven't yet been detected as such. + + An empty or zero healthCheckInterval means no opinion and IngressController chooses + a default, which is subject to change over time. + Currently the default healthCheckInterval value is 5s. + + Currently the minimum allowed value is 1s and the maximum allowed value is + 2147483647ms (24.85 days). Both are subject to change over time. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + httpKeepAliveTimeout: + description: |- + httpKeepAliveTimeout defines the maximum allowed time to wait for + a new HTTP request to appear on a connection from the client to the router. + + This field expects an unsigned duration string of a decimal number, with optional + fraction and a unit suffix, e.g. "300ms", "1.5s" or "2m45s". + Valid time units are "ms", "s", "m". + The allowed range is from 1 millisecond to 15 minutes. + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 300s. + + Low values (tens of milliseconds or less) can cause clients to close and reopen connections + for each request, leading to reduced connection sharing. + For HTTP/2, special care should be taken with low values. + A few seconds is a reasonable starting point to avoid holding idle connections open + while still allowing subsequent requests to reuse the connection. + + High values (minutes or more) favor connection reuse but may cause idle + connections to linger longer. + maxLength: 16 + minLength: 1 + type: string + x-kubernetes-validations: + - message: httpKeepAliveTimeout must be a valid duration string + composed of an unsigned integer value, optionally followed + by a decimal fraction and a unit suffix (ms, s, m) + rule: self.matches('^([0-9]+(\\.[0-9]+)?(ms|s|m))+$') + - message: httpKeepAliveTimeout must be less than or equal to + 15 minutes + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) <= duration(''15m'')' + - message: httpKeepAliveTimeout must be greater than or equal + to 1 millisecond + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) >= duration(''1ms'')' + maxConnections: + description: |- + maxConnections defines the maximum number of simultaneous + connections that can be established per HAProxy process. + Increasing this value allows each ingress controller pod to + handle more connections but at the cost of additional + system resources being consumed. + + Permitted values are: empty, 0, -1, and the range + 2000-2000000. + + If this field is empty or 0, the IngressController will use + the default value of 50000, but the default is subject to + change in future releases. + + If the value is -1 then HAProxy will dynamically compute a + maximum value based on the available ulimits in the running + container. Selecting -1 (i.e., auto) will result in a large + value being computed (~520000 on OpenShift >=4.10 clusters) + and therefore each HAProxy process will incur significant + memory usage compared to the current default of 50000. + + Setting a value that is greater than the current operating + system limit will prevent the HAProxy process from + starting. + + If you choose a discrete value (e.g., 750000) and the + router pod is migrated to a new node, there's no guarantee + that that new node has identical ulimits configured. In + such a scenario the pod would fail to start. If you have + nodes with different ulimits configured (e.g., different + tuned profiles) and you choose a discrete value then the + guidance is to use -1 and let the value be computed + dynamically at runtime. + + You can monitor memory usage for router containers with the + following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}'. + + You can monitor memory usage of individual HAProxy + processes in router containers with the following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}/container_processes{container="router",namespace="openshift-ingress"}'. + format: int32 + type: integer + reloadInterval: + description: |- + reloadInterval defines the minimum interval at which the router is allowed to reload + to accept new changes. Increasing this value can prevent the accumulation of + HAProxy processes, depending on the scenario. Increasing this interval can + also lessen load imbalance on a backend's servers when using the roundrobin + balancing algorithm. Alternatively, decreasing this value may decrease latency + since updates to HAProxy's configuration can take effect more quickly. + + The value must be a time duration value; see . + Currently, the minimum value allowed is 1s, and the maximum allowed value is + 120s. Minimum and maximum allowed values may change in future versions of OpenShift. + Note that if a duration outside of these bounds is provided, the value of reloadInterval + will be capped/floored and not rejected (e.g. a duration of over 120s will be capped to + 120s; the IngressController will not reject and replace this disallowed value with + the default). + + A zero value for reloadInterval tells the IngressController to choose the default, + which is currently 5s and subject to change without notice. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Note: Setting a value significantly larger than the default of 5s can cause latency + in observing updates to routes and their endpoints. HAProxy's configuration will + be reloaded less frequently, and newly created routes will not be served until the + subsequent reload. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + serverFinTimeout: + description: |- + serverFinTimeout defines how long a connection will be held open while + waiting for the server/backend response to the client closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + serverTimeout: + description: |- + serverTimeout defines how long a connection will be held open while + waiting for a server/backend response. + + If unset, the default timeout is 30s + format: duration + type: string + threadCount: + description: |- + threadCount defines the number of threads created per HAProxy process. + Creating more threads allows each ingress controller pod to handle more + connections, at the cost of more system resources being used. HAProxy + currently supports up to 64 threads. If this field is empty, the + IngressController will use the default value. The current default is 4 + threads, but this may change in future releases. + + Setting this field is generally not recommended. Increasing the number + of HAProxy threads allows ingress controller pods to utilize more CPU + time under load, potentially starving other pods if set too high. + Reducing the number of threads may cause the ingress controller to + perform poorly. + format: int32 + maximum: 64 + minimum: 1 + type: integer + tlsInspectDelay: + description: |- + tlsInspectDelay defines how long the router can hold data to find a + matching route. + + Setting this too short can cause the router to fall back to the default + certificate for edge-terminated or reencrypt routes even when a better + matching certificate could be used. + + If unset, the default inspect delay is 5s + format: duration + type: string + tunnelTimeout: + description: |- + tunnelTimeout defines how long a tunnel connection (including + websockets) will be held open while the tunnel is idle. + + If unset, the default timeout is 1h + format: duration + type: string + type: object + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides allows specifying unsupported + configuration options. Its use is unsupported. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the IngressController. + properties: + availableReplicas: + description: |- + availableReplicas is number of observed available replicas according to the + ingress controller deployment. + format: int32 + type: integer + conditions: + description: |- + conditions is a list of conditions and their status. + + Available means the ingress controller deployment is available and + servicing route and ingress resources (i.e, .status.availableReplicas + equals .spec.replicas) + + There are additional conditions which indicate the status of other + ingress controller features and capabilities. + + * LoadBalancerManaged + - True if the following conditions are met: + * The endpoint publishing strategy requires a service load balancer. + - False if any of those conditions are unsatisfied. + + * LoadBalancerReady + - True if the following conditions are met: + * A load balancer is managed. + * The load balancer is ready. + - False if any of those conditions are unsatisfied. + + * DNSManaged + - True if the following conditions are met: + * The endpoint publishing strategy and platform support DNS. + * The ingress controller domain is set. + * dns.config.openshift.io/cluster configures DNS zones. + - False if any of those conditions are unsatisfied. + + * DNSReady + - True if the following conditions are met: + * DNS is managed. + * DNS records have been successfully created. + - False if any of those conditions are unsatisfied. + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + domain: + description: domain is the actual domain in use. + type: string + endpointPublishingStrategy: + description: endpointPublishingStrategy is the actual strategy in + use. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + namespaceSelector: + description: namespaceSelector is the actual namespaceSelector in + use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + observedGeneration: + description: observedGeneration is the most recent generation observed. + format: int64 + type: integer + routeSelector: + description: routeSelector is the actual routeSelector in use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: |- + selector is a label selector, in string format, for ingress controller pods + corresponding to the IngressController. The number of matching pods should + equal the value of availableReplicas. + type: string + tlsProfile: + description: tlsProfile is the TLS connection configuration that is + in effect. + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + + ciphers: + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: The combined 'router-' + metadata.name + '.' + .spec.domain cannot + exceed 253 characters + rule: '!has(self.spec.domain) || size(''router-'' + self.metadata.name + + ''.'' + self.spec.domain) <= 253' + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.selector + specReplicasPath: .spec.replicas + statusReplicasPath: .status.availableReplicas + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml index 53cf23ade1..aaf0972908 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml @@ -69,6 +69,7 @@ clustercsidrivers.operator.openshift.io: Capability: "" Category: "" FeatureGates: + - AWSEuropeanSovereignCloudInstall - VSphereConfigurableMaxAllowedBlockVolumesPerNode FilenameOperatorName: csi-driver FilenameOperatorOrdering: "01" @@ -175,7 +176,8 @@ ingresscontrollers.operator.openshift.io: CRDName: ingresscontrollers.operator.openshift.io Capability: Ingress Category: "" - FeatureGates: [] + FeatureGates: + - IngressControllerDynamicConfigurationManager FilenameOperatorName: ingress FilenameOperatorOrdering: "00" FilenameRunLevel: "0000_50" diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index e35d997a76..c3ed726028 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -466,7 +466,7 @@ func (Theme) SwaggerDoc() map[string]string { var map_AWSCSIDriverConfigSpec = map[string]string{ "": "AWSCSIDriverConfigSpec defines properties that can be configured for the AWS CSI driver.", - "kmsKeyARN": "kmsKeyARN sets the cluster default storage class to encrypt volumes with a user-defined KMS key, rather than the default KMS key used by AWS. The value may be either the ARN or Alias ARN of a KMS key.", + "kmsKeyARN": "kmsKeyARN sets the cluster default storage class to encrypt volumes with a user-defined KMS key, rather than the default KMS key used by AWS. The value may be either the ARN or Alias ARN of a KMS key.\n\nThe ARN must follow the format: arn::kms:::(key|alias)/, where: is the AWS partition (aws, aws-cn, aws-us-gov, aws-iso, aws-iso-b, aws-iso-e, aws-iso-f, or aws-eusc), is the AWS region, is a 12-digit numeric identifier for the AWS account, is the KMS key ID or alias name.", "efsVolumeMetrics": "efsVolumeMetrics sets the configuration for collecting metrics from EFS volumes used by the EFS CSI Driver.", } @@ -1121,6 +1121,7 @@ var map_IngressControllerTuningOptions = map[string]string{ "healthCheckInterval": "healthCheckInterval defines how long the router waits between two consecutive health checks on its configured backends. This value is applied globally as a default for all routes, but may be overridden per-route by the route annotation \"router.openshift.io/haproxy.health.check.interval\".\n\nExpects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix, eg \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\" U+00B5 or \"μs\" U+03BC), \"ms\", \"s\", \"m\", \"h\".\n\nSetting this to less than 5s can cause excess traffic due to too frequent TCP health checks and accompanying SYN packet storms. Alternatively, setting this too high can result in increased latency, due to backend servers that are no longer available, but haven't yet been detected as such.\n\nAn empty or zero healthCheckInterval means no opinion and IngressController chooses a default, which is subject to change over time. Currently the default healthCheckInterval value is 5s.\n\nCurrently the minimum allowed value is 1s and the maximum allowed value is 2147483647ms (24.85 days). Both are subject to change over time.", "maxConnections": "maxConnections defines the maximum number of simultaneous connections that can be established per HAProxy process. Increasing this value allows each ingress controller pod to handle more connections but at the cost of additional system resources being consumed.\n\nPermitted values are: empty, 0, -1, and the range 2000-2000000.\n\nIf this field is empty or 0, the IngressController will use the default value of 50000, but the default is subject to change in future releases.\n\nIf the value is -1 then HAProxy will dynamically compute a maximum value based on the available ulimits in the running container. Selecting -1 (i.e., auto) will result in a large value being computed (~520000 on OpenShift >=4.10 clusters) and therefore each HAProxy process will incur significant memory usage compared to the current default of 50000.\n\nSetting a value that is greater than the current operating system limit will prevent the HAProxy process from starting.\n\nIf you choose a discrete value (e.g., 750000) and the router pod is migrated to a new node, there's no guarantee that that new node has identical ulimits configured. In such a scenario the pod would fail to start. If you have nodes with different ulimits configured (e.g., different tuned profiles) and you choose a discrete value then the guidance is to use -1 and let the value be computed dynamically at runtime.\n\nYou can monitor memory usage for router containers with the following metric: 'container_memory_working_set_bytes{container=\"router\",namespace=\"openshift-ingress\"}'.\n\nYou can monitor memory usage of individual HAProxy processes in router containers with the following metric: 'container_memory_working_set_bytes{container=\"router\",namespace=\"openshift-ingress\"}/container_processes{container=\"router\",namespace=\"openshift-ingress\"}'.", "reloadInterval": "reloadInterval defines the minimum interval at which the router is allowed to reload to accept new changes. Increasing this value can prevent the accumulation of HAProxy processes, depending on the scenario. Increasing this interval can also lessen load imbalance on a backend's servers when using the roundrobin balancing algorithm. Alternatively, decreasing this value may decrease latency since updates to HAProxy's configuration can take effect more quickly.\n\nThe value must be a time duration value; see . Currently, the minimum value allowed is 1s, and the maximum allowed value is 120s. Minimum and maximum allowed values may change in future versions of OpenShift. Note that if a duration outside of these bounds is provided, the value of reloadInterval will be capped/floored and not rejected (e.g. a duration of over 120s will be capped to 120s; the IngressController will not reject and replace this disallowed value with the default).\n\nA zero value for reloadInterval tells the IngressController to choose the default, which is currently 5s and subject to change without notice.\n\nThis field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix, e.g. \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\" U+00B5 or \"μs\" U+03BC), \"ms\", \"s\", \"m\", \"h\".\n\nNote: Setting a value significantly larger than the default of 5s can cause latency in observing updates to routes and their endpoints. HAProxy's configuration will be reloaded less frequently, and newly created routes will not be served until the subsequent reload.", + "configurationManagement": "configurationManagement specifies how OpenShift router should update the HAProxy configuration. The following values are valid for this field:\n\n* \"ForkAndReload\". * \"Dynamic\".\n\nOmitting this field means that the user has no opinion and the platform may choose a reasonable default. This default is subject to change over time. The current default is \"ForkAndReload\".\n\n\"ForkAndReload\" means that OpenShift router should rewrite the HAProxy configuration file and instruct HAProxy to fork and reload. This is OpenShift router's traditional approach.\n\n\"Dynamic\" means that OpenShift router may use HAProxy's control socket for some configuration updates and fall back to fork and reload for other configuration updates. This is a newer approach, which may be less mature than ForkAndReload. This setting can improve load-balancing fairness and metrics accuracy and reduce CPU and memory usage if HAProxy has frequent configuration updates for route and endpoints updates.\n\nNote: The \"Dynamic\" option is currently experimental and should not be enabled on production clusters.", } func (IngressControllerTuningOptions) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/quota/v1/generated.proto b/vendor/github.com/openshift/api/quota/v1/generated.proto index fb7fed242a..998c594732 100644 --- a/vendor/github.com/openshift/api/quota/v1/generated.proto +++ b/vendor/github.com/openshift/api/quota/v1/generated.proto @@ -51,7 +51,7 @@ message AppliedClusterResourceQuotaList { // +kubebuilder:resource:path=clusterresourcequotas,scope=Cluster // +kubebuilder:subresource:status // +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470 -// +openshift:file-pattern=cvoRunLevel=0000_03,operatorName=config-operator,operatorOrdering=01 +// +openshift:file-pattern=cvoRunLevel=0000_00,operatorName=apiserver,operatorOrdering=01 // +openshift:compatibility-gen:level=1 // +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true message ClusterResourceQuota { diff --git a/vendor/github.com/openshift/api/quota/v1/types.go b/vendor/github.com/openshift/api/quota/v1/types.go index 0cfb85f87e..9f60962146 100644 --- a/vendor/github.com/openshift/api/quota/v1/types.go +++ b/vendor/github.com/openshift/api/quota/v1/types.go @@ -17,7 +17,7 @@ import ( // +kubebuilder:resource:path=clusterresourcequotas,scope=Cluster // +kubebuilder:subresource:status // +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/470 -// +openshift:file-pattern=cvoRunLevel=0000_03,operatorName=config-operator,operatorOrdering=01 +// +openshift:file-pattern=cvoRunLevel=0000_00,operatorName=apiserver,operatorOrdering=01 // +openshift:compatibility-gen:level=1 // +kubebuilder:metadata:annotations=release.openshift.io/bootstrap-required=true type ClusterResourceQuota struct { diff --git a/vendor/github.com/openshift/api/quota/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/quota/v1/zz_generated.featuregated-crd-manifests.yaml index b0fae46f7d..1a56a512d7 100644 --- a/vendor/github.com/openshift/api/quota/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/quota/v1/zz_generated.featuregated-crd-manifests.yaml @@ -6,9 +6,9 @@ clusterresourcequotas.quota.openshift.io: Capability: "" Category: "" FeatureGates: [] - FilenameOperatorName: config-operator + FilenameOperatorName: apiserver FilenameOperatorOrdering: "01" - FilenameRunLevel: "0000_03" + FilenameRunLevel: "0000_00" GroupName: quota.openshift.io HasStatus: true KindName: ClusterResourceQuota diff --git a/vendor/github.com/openshift/library-go/pkg/crypto/cert_config.go b/vendor/github.com/openshift/library-go/pkg/crypto/cert_config.go new file mode 100644 index 0000000000..76d71da2ab --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/crypto/cert_config.go @@ -0,0 +1,225 @@ +package crypto + +import ( + "crypto" + "crypto/x509" + "crypto/x509/pkix" + "fmt" + "time" + + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apiserver/pkg/authentication/user" +) + +// KeyPairGenerator generates a cryptographic key pair. +type KeyPairGenerator interface { + GenerateKeyPair() (crypto.PublicKey, crypto.PrivateKey, error) +} + +// NewSigningCertificate creates a CA certificate. +// By default it creates a self-signed root CA. Use WithSigner to create an +// intermediate CA signed by a parent CA. +// The name parameter is used as the CommonName unless overridden with WithSubject. +// Optional: WithSigner, WithSubject, WithLifetime (defaults to DefaultCACertificateLifetimeDuration). +func NewSigningCertificate(name string, keyGen KeyPairGenerator, opts ...CertificateOption) (*TLSCertificateConfig, error) { + o := &CertificateOptions{ + lifetime: DefaultCACertificateLifetimeDuration, + } + for _, opt := range opts { + opt(o) + } + + subject := pkix.Name{CommonName: name} + if o.subject != nil { + subject = *o.subject + } + + publicKey, privateKey, err := keyGen.GenerateKeyPair() + if err != nil { + return nil, fmt.Errorf("failed to generate key pair: %w", err) + } + subjectKeyId, err := SubjectKeyIDFromPublicKey(publicKey) + if err != nil { + return nil, fmt.Errorf("failed to compute subject key ID: %w", err) + } + + if o.signer != nil { + // Intermediate CA signed by the provided signer. + authorityKeyId := o.signer.Config.Certs[0].SubjectKeyId + template := newSigningCertificateTemplateForDuration(subject, o.lifetime, time.Now, authorityKeyId, subjectKeyId) + template.SignatureAlgorithm = 0 + template.KeyUsage = KeyUsageForPublicKey(publicKey) | x509.KeyUsageCertSign + + cert, err := o.signer.SignCertificate(template, publicKey) + if err != nil { + return nil, fmt.Errorf("failed to sign certificate: %w", err) + } + + return &TLSCertificateConfig{ + Certs: append([]*x509.Certificate{cert}, o.signer.Config.Certs...), + Key: privateKey, + }, nil + } + + // Self-signed root CA. AuthorityKeyId and SubjectKeyId match. + template := newSigningCertificateTemplateForDuration(subject, o.lifetime, time.Now, subjectKeyId, subjectKeyId) + template.SignatureAlgorithm = 0 + template.KeyUsage = KeyUsageForPublicKey(publicKey) | x509.KeyUsageCertSign + + cert, err := signCertificate(template, publicKey, template, privateKey) + if err != nil { + return nil, fmt.Errorf("failed to sign certificate: %w", err) + } + + return &TLSCertificateConfig{ + Certs: []*x509.Certificate{cert}, + Key: privateKey, + }, nil +} + +// NewServerCertificate creates a server/serving certificate signed by this CA. +// Optional: WithLifetime (defaults to DefaultCertificateLifetimeDuration), WithExtensions. +func (ca *CA) NewServerCertificate(hostnames sets.Set[string], keyGen KeyPairGenerator, opts ...CertificateOption) (*TLSCertificateConfig, error) { + o := &CertificateOptions{ + lifetime: DefaultCertificateLifetimeDuration, + } + for _, opt := range opts { + opt(o) + } + + publicKey, privateKey, err := keyGen.GenerateKeyPair() + if err != nil { + return nil, fmt.Errorf("failed to generate key pair: %w", err) + } + subjectKeyId, err := SubjectKeyIDFromPublicKey(publicKey) + if err != nil { + return nil, fmt.Errorf("failed to compute subject key ID: %w", err) + } + + sortedHostnames := sets.List(hostnames) + authorityKeyId := ca.Config.Certs[0].SubjectKeyId + template := newServerCertificateTemplateForDuration( + pkix.Name{CommonName: sortedHostnames[0]}, + sortedHostnames, + o.lifetime, + time.Now, + authorityKeyId, + subjectKeyId, + ) + // Let x509.CreateCertificate auto-detect the signature algorithm from the CA's key. + template.SignatureAlgorithm = 0 + template.KeyUsage = KeyUsageForPublicKey(publicKey) + + for _, fn := range o.extensionFns { + if err := fn(template); err != nil { + return nil, fmt.Errorf("failed to apply certificate extension: %w", err) + } + } + + cert, err := ca.SignCertificate(template, publicKey) + if err != nil { + return nil, fmt.Errorf("failed to sign certificate: %w", err) + } + + return &TLSCertificateConfig{ + Certs: append([]*x509.Certificate{cert}, ca.Config.Certs...), + Key: privateKey, + }, nil +} + +// NewClientCertificate creates a client certificate signed by this CA. +// Optional: WithLifetime (defaults to DefaultCertificateLifetimeDuration). +func (ca *CA) NewClientCertificate(u user.Info, keyGen KeyPairGenerator, opts ...CertificateOption) (*TLSCertificateConfig, error) { + o := &CertificateOptions{ + lifetime: DefaultCertificateLifetimeDuration, + } + for _, opt := range opts { + opt(o) + } + + publicKey, privateKey, err := keyGen.GenerateKeyPair() + if err != nil { + return nil, fmt.Errorf("failed to generate key pair: %w", err) + } + subjectKeyId, err := SubjectKeyIDFromPublicKey(publicKey) + if err != nil { + return nil, fmt.Errorf("failed to compute subject key ID: %w", err) + } + + authorityKeyId := ca.Config.Certs[0].SubjectKeyId + template := NewClientCertificateTemplateForDuration(UserToSubject(u), o.lifetime, time.Now) + template.AuthorityKeyId = authorityKeyId + template.SubjectKeyId = subjectKeyId + // Let x509.CreateCertificate auto-detect the signature algorithm from the CA's key. + template.SignatureAlgorithm = 0 + template.KeyUsage = KeyUsageForPublicKey(publicKey) + + cert, err := ca.SignCertificate(template, publicKey) + if err != nil { + return nil, fmt.Errorf("failed to sign certificate: %w", err) + } + + return &TLSCertificateConfig{ + Certs: append([]*x509.Certificate{cert}, ca.Config.Certs...), + Key: privateKey, + }, nil +} + +// NewPeerCertificate creates a peer certificate (both server and client auth) +// signed by this CA. +// Optional: WithLifetime (defaults to DefaultCertificateLifetimeDuration), WithExtensions. +func (ca *CA) NewPeerCertificate(hostnames sets.Set[string], u user.Info, keyGen KeyPairGenerator, opts ...CertificateOption) (*TLSCertificateConfig, error) { + o := &CertificateOptions{ + lifetime: DefaultCertificateLifetimeDuration, + } + for _, opt := range opts { + opt(o) + } + + publicKey, privateKey, err := keyGen.GenerateKeyPair() + if err != nil { + return nil, fmt.Errorf("failed to generate key pair: %w", err) + } + subjectKeyId, err := SubjectKeyIDFromPublicKey(publicKey) + if err != nil { + return nil, fmt.Errorf("failed to compute subject key ID: %w", err) + } + + sortedHostnames := sets.List(hostnames) + authorityKeyId := ca.Config.Certs[0].SubjectKeyId + + // Start from a server certificate template for the hostnames. + template := newServerCertificateTemplateForDuration( + pkix.Name{CommonName: sortedHostnames[0]}, + sortedHostnames, + o.lifetime, + time.Now, + authorityKeyId, + subjectKeyId, + ) + // Let x509.CreateCertificate auto-detect the signature algorithm from the CA's key. + template.SignatureAlgorithm = 0 + template.KeyUsage = KeyUsageForPublicKey(publicKey) + + // Set subject from user info for client authentication. + template.Subject = UserToSubject(u) + + // Enable both server and client authentication. + template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth} + + for _, fn := range o.extensionFns { + if err := fn(template); err != nil { + return nil, fmt.Errorf("failed to apply certificate extension: %w", err) + } + } + + cert, err := ca.SignCertificate(template, publicKey) + if err != nil { + return nil, fmt.Errorf("failed to sign certificate: %w", err) + } + + return &TLSCertificateConfig{ + Certs: append([]*x509.Certificate{cert}, ca.Config.Certs...), + Key: privateKey, + }, nil +} diff --git a/vendor/github.com/openshift/library-go/pkg/crypto/keygen.go b/vendor/github.com/openshift/library-go/pkg/crypto/keygen.go new file mode 100644 index 0000000000..96b7559468 --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/crypto/keygen.go @@ -0,0 +1,118 @@ +package crypto + +import ( + "crypto" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "crypto/sha256" + "crypto/x509" + "fmt" +) + +// KeyAlgorithm identifies the key generation algorithm. +type KeyAlgorithm string + +const ( + // RSAKeyAlgorithm specifies RSA key generation. + RSAKeyAlgorithm KeyAlgorithm = "RSA" + // ECDSAKeyAlgorithm specifies ECDSA key generation. + ECDSAKeyAlgorithm KeyAlgorithm = "ECDSA" +) + +// ECDSACurve identifies a named ECDSA curve. +type ECDSACurve string + +const ( + // P256 specifies the NIST P-256 curve (secp256r1), providing 128-bit security. + P256 ECDSACurve = "P256" + // P384 specifies the NIST P-384 curve (secp384r1), providing 192-bit security. + P384 ECDSACurve = "P384" + // P521 specifies the NIST P-521 curve (secp521r1), providing 256-bit security. + P521 ECDSACurve = "P521" +) + +// RSAKeyPairGenerator generates RSA key pairs. +type RSAKeyPairGenerator struct { + // Bits is the RSA key size in bits. Must be >= 2048. + Bits int +} + +func (g RSAKeyPairGenerator) GenerateKeyPair() (crypto.PublicKey, crypto.PrivateKey, error) { + bits := g.Bits + if bits == 0 { + bits = keyBits + } + privateKey, err := rsa.GenerateKey(rand.Reader, bits) + if err != nil { + return nil, nil, err + } + return &privateKey.PublicKey, privateKey, nil +} + +// ECDSAKeyPairGenerator generates ECDSA key pairs. +type ECDSAKeyPairGenerator struct { + // Curve is the named ECDSA curve. + Curve ECDSACurve +} + +func (g ECDSAKeyPairGenerator) GenerateKeyPair() (crypto.PublicKey, crypto.PrivateKey, error) { + curve, err := g.ellipticCurve() + if err != nil { + return nil, nil, err + } + privateKey, err := ecdsa.GenerateKey(curve, rand.Reader) + if err != nil { + return nil, nil, err + } + return &privateKey.PublicKey, privateKey, nil +} + +func (g ECDSAKeyPairGenerator) ellipticCurve() (elliptic.Curve, error) { + switch g.Curve { + case P256: + return elliptic.P256(), nil + case P384: + return elliptic.P384(), nil + case P521: + return elliptic.P521(), nil + default: + return nil, fmt.Errorf("unsupported ECDSA curve: %q", g.Curve) + } +} + +// KeyUsageForPublicKey returns the x509.KeyUsage flags appropriate for the +// given public key type. ECDSA keys use DigitalSignature only; RSA keys also +// include KeyEncipherment. +func KeyUsageForPublicKey(pub crypto.PublicKey) x509.KeyUsage { + switch pub.(type) { + case *ecdsa.PublicKey: + return x509.KeyUsageDigitalSignature + default: + return x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature + } +} + +// SubjectKeyIDFromPublicKey computes a truncated SHA-256 hash suitable for +// use as a certificate SubjectKeyId from any supported public key type. +// This uses the first 160 bits of the SHA-256 hash per RFC 7093, consistent +// with the Go standard library since Go 1.25 (go.dev/issue/71746) and +// Let's Encrypt. Prior Go versions used SHA-1 which is not FIPS-compatible. +func SubjectKeyIDFromPublicKey(pub crypto.PublicKey) ([]byte, error) { + var rawBytes []byte + switch pub := pub.(type) { + case *rsa.PublicKey: + rawBytes = pub.N.Bytes() + case *ecdsa.PublicKey: + ecdhKey, err := pub.ECDH() + if err != nil { + return nil, fmt.Errorf("failed to convert ECDSA public key: %w", err) + } + rawBytes = ecdhKey.Bytes() + default: + return nil, fmt.Errorf("unsupported public key type: %T", pub) + } + hash := sha256.Sum256(rawBytes) + return hash[:20], nil +} diff --git a/vendor/github.com/openshift/library-go/pkg/crypto/options.go b/vendor/github.com/openshift/library-go/pkg/crypto/options.go new file mode 100644 index 0000000000..983b115d22 --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/crypto/options.go @@ -0,0 +1,49 @@ +package crypto + +import ( + "crypto/x509/pkix" + "time" +) + +// CertificateOptions holds optional configuration collected from functional options. +type CertificateOptions struct { + lifetime time.Duration + subject *pkix.Name + extensionFns []CertificateExtensionFunc + signer *CA +} + +// CertificateOption is a functional option for certificate creation. +type CertificateOption func(*CertificateOptions) + +// WithLifetime sets the certificate lifetime duration. +func WithLifetime(d time.Duration) CertificateOption { + return func(o *CertificateOptions) { + o.lifetime = d + } +} + +// WithSubject overrides the certificate subject. For signing certificates, +// this overrides the default subject derived from the name parameter. +func WithSubject(s pkix.Name) CertificateOption { + return func(o *CertificateOptions) { + o.subject = &s + } +} + +// WithSigner specifies a CA to sign the certificate. When used with +// NewSigningCertificate, this creates an intermediate CA signed by the +// given CA instead of a self-signed root CA. +func WithSigner(ca *CA) CertificateOption { + return func(o *CertificateOptions) { + o.signer = ca + } +} + +// WithExtensions adds certificate extension functions that are called +// to modify the certificate template before signing. +func WithExtensions(fns ...CertificateExtensionFunc) CertificateOption { + return func(o *CertificateOptions) { + o.extensionFns = append(o.extensionFns, fns...) + } +} diff --git a/vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go b/vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go new file mode 100644 index 0000000000..ef0e1af51a --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go @@ -0,0 +1,23 @@ +package crypto + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// ShouldHonorClusterTLSProfile returns true if the component should honor the +// cluster-wide TLS security profile settings from apiserver.config.openshift.io/cluster. +// +// When this returns true (StrictAllComponents mode), components must honor the +// cluster-wide TLS profile unless they have a component-specific TLS configuration +// that overrides it. +// +// Unknown enum values are treated as StrictAllComponents for forward compatibility +// and to default to the more secure behavior. +func ShouldHonorClusterTLSProfile(tlsAdherence configv1.TLSAdherencePolicy) bool { + switch tlsAdherence { + case configv1.TLSAdherencePolicyNoOpinion, configv1.TLSAdherencePolicyLegacyAdheringComponentsOnly: + return false + default: + return true + } +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go index f9ad1fc14b..dbacb066e9 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go @@ -6,13 +6,12 @@ import ( "time" operatorv1 "github.com/openshift/api/operator/v1" - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/util/wait" - "github.com/openshift/library-go/pkg/controller/factory" "github.com/openshift/library-go/pkg/operator/condition" "github.com/openshift/library-go/pkg/operator/events" "github.com/openshift/library-go/pkg/operator/v1helpers" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/wait" ) const ( @@ -80,6 +79,7 @@ func NewCertRotationController( RotatedSelfSignedCertKeySecret: rotatedSelfSignedCertKeySecret, StatusReporter: reporter, } + return factory.New(). ResyncEvery(time.Minute). WithSync(c.Sync). diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go index c2c8b8368f..019cce7d5a 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go @@ -9,6 +9,7 @@ import ( "github.com/openshift/library-go/pkg/crypto" "github.com/openshift/library-go/pkg/operator/events" "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" + "github.com/openshift/library-go/pkg/pki" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -48,6 +49,13 @@ type RotatedSigningCASecret struct { // AdditionalAnnotations is a collection of annotations set for the secret AdditionalAnnotations AdditionalAnnotations + // CertificateName is the logical name of this certificate for PKI profile resolution. + CertificateName string + + // PKIProfileProvider, when non-nil, enables ConfigurablePKI certificate + // key algorithm resolution. When nil, legacy certificate generation is used. + PKIProfileProvider pki.PKIProfileProvider + // Plumbing: Informer corev1informers.SecretInformer Lister corev1listers.SecretLister @@ -87,12 +95,12 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (* // run Update if signer content needs changing signerUpdated := false - if needed, reason := needNewSigningCertKeyPair(signingCertKeyPairSecret, c.Refresh, c.RefreshOnlyWhenExpired); needed || creationRequired { + if needed, reason := c.needNewSigningCertKeyPair(signingCertKeyPairSecret); needed || creationRequired { if creationRequired { reason = "secret doesn't exist" } c.EventRecorder.Eventf("SignerUpdateRequired", "%q in %q requires a new signing cert/key pair: %v", c.Name, c.Namespace, reason) - if err = setSigningCertKeyPairSecretAndTLSAnnotations(signingCertKeyPairSecret, c.Validity, c.Refresh, c.AdditionalAnnotations); err != nil { + if err = c.setSigningCertKeyPairSecretAndTLSAnnotations(signingCertKeyPairSecret); err != nil { return nil, false, err } @@ -149,7 +157,7 @@ func ensureOwnerReference(meta *metav1.ObjectMeta, owner *metav1.OwnerReference) return false } -func needNewSigningCertKeyPair(secret *corev1.Secret, refresh time.Duration, refreshOnlyWhenExpired bool) (bool, string) { +func (c RotatedSigningCASecret) needNewSigningCertKeyPair(secret *corev1.Secret) (bool, string) { annotations := secret.Annotations notBefore, notAfter, reason := getValidityFromAnnotations(annotations) if len(reason) > 0 { @@ -160,7 +168,7 @@ func needNewSigningCertKeyPair(secret *corev1.Secret, refresh time.Duration, ref return true, "already expired" } - if refreshOnlyWhenExpired { + if c.RefreshOnlyWhenExpired { return false, "" } @@ -170,7 +178,7 @@ func needNewSigningCertKeyPair(secret *corev1.Secret, refresh time.Duration, ref return true, fmt.Sprintf("past refresh time (80%% of validity): %v", at80Percent) } - developerSpecifiedRefresh := notBefore.Add(refresh) + developerSpecifiedRefresh := notBefore.Add(c.Refresh) if time.Now().After(developerSpecifiedRefresh) { return true, fmt.Sprintf("past its refresh time %v", developerSpecifiedRefresh) } @@ -199,22 +207,67 @@ func getValidityFromAnnotations(annotations map[string]string) (notBefore time.T return notBefore, notAfter, "" } +func (c RotatedSigningCASecret) resolveKeyPairGenerator() (crypto.KeyPairGenerator, error) { + return resolveKeyPairGeneratorWithFallback(c.PKIProfileProvider, pki.CertificateTypeSigner, c.CertificateName) +} + +// resolveKeyPairGeneratorWithFallback resolves the key pair generator from the +// PKI profile provider. Returns nil for Unmanaged mode (no key override). +// +// TODO(sanchezl): Remove the fallback to DefaultPKIProfile() once installer +// support for the PKI resource is in place. Until then, the PKI resource may +// not exist in TechPreview clusters. Once removed, callers can use +// pki.ResolveCertificateConfig directly. +func resolveKeyPairGeneratorWithFallback(provider pki.PKIProfileProvider, certType pki.CertificateType, name string) (crypto.KeyPairGenerator, error) { + cfg, err := pki.ResolveCertificateConfig(provider, certType, name) + if err != nil { + klog.Warningf("Failed to resolve PKI config for %s %q, falling back to default profile: %v", certType, name, err) + defaultProfile := pki.DefaultPKIProfile() + cfg, err = pki.ResolveCertificateConfig(pki.NewStaticPKIProfileProvider(&defaultProfile), certType, name) + if err != nil { + return nil, err + } + } + if cfg == nil { + return nil, nil + } + return cfg.Key, nil +} + // setSigningCertKeyPairSecretAndTLSAnnotations generates a new signing certificate and key pair, // stores them in the specified secret, and adds predefined TLS annotations to that secret. -func setSigningCertKeyPairSecretAndTLSAnnotations(signingCertKeyPairSecret *corev1.Secret, validity, refresh time.Duration, tlsAnnotations AdditionalAnnotations) error { - ca, err := setSigningCertKeyPairSecret(signingCertKeyPairSecret, validity) +func (c RotatedSigningCASecret) setSigningCertKeyPairSecretAndTLSAnnotations(signingCertKeyPairSecret *corev1.Secret) error { + ca, err := c.setSigningCertKeyPairSecret(signingCertKeyPairSecret) if err != nil { return err } - setTLSAnnotationsOnSigningCertKeyPairSecret(signingCertKeyPairSecret, ca, refresh, tlsAnnotations) + c.setTLSAnnotationsOnSigningCertKeyPairSecret(signingCertKeyPairSecret, ca) return nil } -// setSigningCertKeyPairSecret creates a new signing cert/key pair and sets them in the secret -func setSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, validity time.Duration) (*crypto.TLSCertificateConfig, error) { +// setSigningCertKeyPairSecret creates a new signing cert/key pair and sets them in the secret. +func (c RotatedSigningCASecret) setSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret) (*crypto.TLSCertificateConfig, error) { signerName := fmt.Sprintf("%s_%s@%d", signingCertKeyPairSecret.Namespace, signingCertKeyPairSecret.Name, time.Now().Unix()) - ca, err := crypto.MakeSelfSignedCAConfigForDuration(signerName, validity) + + var ca *crypto.TLSCertificateConfig + var err error + if c.PKIProfileProvider != nil { + keyGen, err := c.resolveKeyPairGenerator() + if err != nil { + return nil, err + } + if keyGen != nil { + ca, err = crypto.NewSigningCertificate(signerName, keyGen, crypto.WithLifetime(c.Validity)) + if err != nil { + return nil, err + } + } + // nil keyGen means Unmanaged: fall through to legacy cert generation + } + if ca == nil { + ca, err = crypto.MakeSelfSignedCAConfigForDuration(signerName, c.Validity) + } if err != nil { return nil, err } @@ -243,11 +296,12 @@ func setSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, validi // // These assumptions are safe because this function is only called after the secret // has been initialized in setSigningCertKeyPairSecret. -func setTLSAnnotationsOnSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, ca *crypto.TLSCertificateConfig, refresh time.Duration, tlsAnnotations AdditionalAnnotations) { +func (c RotatedSigningCASecret) setTLSAnnotationsOnSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, ca *crypto.TLSCertificateConfig) { signingCertKeyPairSecret.Annotations[CertificateIssuer] = ca.Certs[0].Issuer.CommonName + tlsAnnotations := c.AdditionalAnnotations tlsAnnotations.NotBefore = ca.Certs[0].NotBefore.Format(time.RFC3339) tlsAnnotations.NotAfter = ca.Certs[0].NotAfter.Format(time.RFC3339) - tlsAnnotations.RefreshPeriod = refresh.String() + tlsAnnotations.RefreshPeriod = c.Refresh.String() _ = tlsAnnotations.EnsureTLSMetadataUpdate(&signingCertKeyPairSecret.ObjectMeta) } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go index 88cd41189e..b76c494402 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go @@ -18,6 +18,7 @@ import ( "github.com/openshift/library-go/pkg/crypto" "github.com/openshift/library-go/pkg/operator/events" "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" + "github.com/openshift/library-go/pkg/pki" corev1informers "k8s.io/client-go/informers/core/v1" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" corev1listers "k8s.io/client-go/listers/core/v1" @@ -64,6 +65,13 @@ type RotatedSelfSignedCertKeySecret struct { // CertCreator does the actual cert generation. CertCreator TargetCertCreator + // CertificateName is the logical name of this certificate for PKI profile resolution. + CertificateName string + + // PKIProfileProvider, when non-nil, enables ConfigurablePKI certificate + // key algorithm resolution. When nil, legacy certificate generation is used. + PKIProfileProvider pki.PKIProfileProvider + // Plumbing: Informer corev1informers.SecretInformer Lister corev1listers.SecretLister @@ -72,12 +80,15 @@ type RotatedSelfSignedCertKeySecret struct { } type TargetCertCreator interface { - // NewCertificate creates a new key-cert pair with the given signer. - NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error) + // NewCertificate creates a new key-cert pair with the given signer. If keyGen + // is non-nil, it is used to generate the key pair; otherwise legacy defaults are used. + NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error) // NeedNewTargetCertKeyPair decides whether a new cert-key pair is needed. It returns a non-empty reason if it is the case. NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, creationRequired bool) string // SetAnnotations gives an option to override or set additional annotations SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string + // CertificateType returns the category of certificate this creator produces. + CertificateType() pki.CertificateType } // TargetCertRechecker is an optional interface to be implemented by the TargetCertCreator to enforce @@ -121,7 +132,7 @@ func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Cont if reason := c.CertCreator.NeedNewTargetCertKeyPair(targetCertKeyPairSecret, signingCertKeyPair, caBundleCerts, c.Refresh, c.RefreshOnlyWhenExpired, creationRequired); len(reason) > 0 { c.EventRecorder.Eventf("TargetUpdateRequired", "%q in %q requires a new target cert/key pair: %v", c.Name, c.Namespace, reason) - if err = setTargetCertKeyPairSecretAndTLSAnnotations(targetCertKeyPairSecret, c.Validity, c.Refresh, signingCertKeyPair, c.CertCreator, c.AdditionalAnnotations); err != nil { + if err = c.setTargetCertKeyPairSecretAndTLSAnnotations(targetCertKeyPairSecret, signingCertKeyPair); err != nil { return nil, err } @@ -239,19 +250,19 @@ func needNewTargetCertKeyPairForTime(annotations map[string]string, signer *cryp // setTargetCertKeyPairSecretAndTLSAnnotations generates a new cert/key pair, // stores them in the specified secret, and adds predefined TLS annotations to that secret. -func setTargetCertKeyPairSecretAndTLSAnnotations(targetCertKeyPairSecret *corev1.Secret, validity, refresh time.Duration, signer *crypto.CA, certCreator TargetCertCreator, tlsAnnotations AdditionalAnnotations) error { - certKeyPair, err := setTargetCertKeyPairSecret(targetCertKeyPairSecret, validity, signer, certCreator) +func (c RotatedSelfSignedCertKeySecret) setTargetCertKeyPairSecretAndTLSAnnotations(targetCertKeyPairSecret *corev1.Secret, signer *crypto.CA) error { + certKeyPair, err := c.setTargetCertKeyPairSecret(targetCertKeyPairSecret, signer) if err != nil { return err } - setTLSAnnotationsOnTargetCertKeyPairSecret(targetCertKeyPairSecret, certKeyPair, certCreator, refresh, tlsAnnotations) + c.setTLSAnnotationsOnTargetCertKeyPairSecret(targetCertKeyPairSecret, certKeyPair) return nil } // setTargetCertKeyPairSecret creates a new cert/key pair and sets them in the secret. Only one of client, serving, or signer rotation may be specified. // TODO refactor with an interface for actually signing and move the one-of check higher in the stack. -func setTargetCertKeyPairSecret(targetCertKeyPairSecret *corev1.Secret, validity time.Duration, signer *crypto.CA, certCreator TargetCertCreator) (*crypto.TLSCertificateConfig, error) { +func (c RotatedSelfSignedCertKeySecret) setTargetCertKeyPairSecret(targetCertKeyPairSecret *corev1.Secret, signer *crypto.CA) (*crypto.TLSCertificateConfig, error) { if targetCertKeyPairSecret.Annotations == nil { targetCertKeyPairSecret.Annotations = map[string]string{} } @@ -260,13 +271,22 @@ func setTargetCertKeyPairSecret(targetCertKeyPairSecret *corev1.Secret, validity } // our annotation is based on our cert validity, so we want to make sure that we don't specify something past our signer - targetValidity := validity + targetValidity := c.Validity remainingSignerValidity := signer.Config.Certs[0].NotAfter.Sub(time.Now()) - if remainingSignerValidity < validity { + if remainingSignerValidity < targetValidity { targetValidity = remainingSignerValidity } - certKeyPair, err := certCreator.NewCertificate(signer, targetValidity) + var keyGen crypto.KeyPairGenerator + if c.PKIProfileProvider != nil { + var err error + keyGen, err = c.resolveKeyPairGenerator() + if err != nil { + return nil, err + } + } + + certKeyPair, err := c.CertCreator.NewCertificate(signer, targetValidity, keyGen) if err != nil { return nil, err } @@ -282,22 +302,34 @@ func setTargetCertKeyPairSecret(targetCertKeyPairSecret *corev1.Secret, validity // // These assumptions are safe because this function is only called after the secret // has been initialized in setTargetCertKeyPairSecret. -func setTLSAnnotationsOnTargetCertKeyPairSecret(targetCertKeyPairSecret *corev1.Secret, certKeyPair *crypto.TLSCertificateConfig, certCreator TargetCertCreator, refresh time.Duration, tlsAnnotations AdditionalAnnotations) { +func (c RotatedSelfSignedCertKeySecret) setTLSAnnotationsOnTargetCertKeyPairSecret(targetCertKeyPairSecret *corev1.Secret, certKeyPair *crypto.TLSCertificateConfig) { targetCertKeyPairSecret.Annotations[CertificateIssuer] = certKeyPair.Certs[0].Issuer.CommonName + tlsAnnotations := c.AdditionalAnnotations tlsAnnotations.NotBefore = certKeyPair.Certs[0].NotBefore.Format(time.RFC3339) tlsAnnotations.NotAfter = certKeyPair.Certs[0].NotAfter.Format(time.RFC3339) - tlsAnnotations.RefreshPeriod = refresh.String() + tlsAnnotations.RefreshPeriod = c.Refresh.String() _ = tlsAnnotations.EnsureTLSMetadataUpdate(&targetCertKeyPairSecret.ObjectMeta) - certCreator.SetAnnotations(certKeyPair, targetCertKeyPairSecret.Annotations) + c.CertCreator.SetAnnotations(certKeyPair, targetCertKeyPairSecret.Annotations) +} + +func (c RotatedSelfSignedCertKeySecret) resolveKeyPairGenerator() (crypto.KeyPairGenerator, error) { + return resolveKeyPairGeneratorWithFallback(c.PKIProfileProvider, c.CertCreator.CertificateType(), c.CertificateName) } type ClientRotation struct { UserInfo user.Info } -func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error) { +func (r *ClientRotation) CertificateType() pki.CertificateType { + return pki.CertificateTypeClient +} + +func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error) { + if keyGen != nil { + return signer.NewClientCertificate(r.UserInfo, keyGen, crypto.WithLifetime(validity)) + } return signer.MakeClientCertificateForDuration(r.UserInfo, validity) } @@ -315,11 +347,23 @@ type ServingRotation struct { HostnamesChanged <-chan struct{} } -func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error) { - if len(r.Hostnames()) == 0 { +func (r *ServingRotation) CertificateType() pki.CertificateType { + return pki.CertificateTypeServing +} + +func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error) { + hostnames := r.Hostnames() + if len(hostnames) == 0 { return nil, fmt.Errorf("no hostnames set") } - return signer.MakeServerCertForDuration(sets.New(r.Hostnames()...), validity, r.CertificateExtensionFn...) + if keyGen != nil { + return signer.NewServerCertificate( + sets.New(hostnames...), keyGen, + crypto.WithLifetime(validity), + crypto.WithExtensions(r.CertificateExtensionFn...), + ) + } + return signer.MakeServerCertForDuration(sets.New(hostnames...), validity, r.CertificateExtensionFn...) } func (r *ServingRotation) RecheckChannel() <-chan struct{} { @@ -336,18 +380,25 @@ func (r *ServingRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Sec } func (r *ServingRotation) missingHostnames(annotations map[string]string) string { + return missingHostnames(annotations, r.Hostnames()) +} + +func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string { + return setHostnameAnnotations(cert, annotations) +} + +func missingHostnames(annotations map[string]string, hostnames []string) string { existingHostnames := sets.New(strings.Split(annotations[CertificateHostnames], ",")...) - requiredHostnames := sets.New(r.Hostnames()...) + requiredHostnames := sets.New(hostnames...) if !existingHostnames.Equal(requiredHostnames) { existingNotRequired := existingHostnames.Difference(requiredHostnames) requiredNotExisting := requiredHostnames.Difference(existingHostnames) return fmt.Sprintf("%q are existing and not required, %q are required and not existing", strings.Join(sets.List(existingNotRequired), ","), strings.Join(sets.List(requiredNotExisting), ",")) } - return "" } -func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string { +func setHostnameAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string { hostnames := sets.Set[string]{} for _, ip := range cert.Certs[0].IPAddresses { hostnames.Insert(ip.String()) @@ -355,7 +406,6 @@ func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, anno for _, dnsName := range cert.Certs[0].DNSNames { hostnames.Insert(dnsName) } - // List does a sort so that we have a consistent representation annotations[CertificateHostnames] = strings.Join(sets.List(hostnames), ",") return annotations @@ -367,11 +417,81 @@ type SignerRotation struct { SignerName string } -func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error) { +func (r *SignerRotation) CertificateType() pki.CertificateType { + return pki.CertificateTypeSigner +} + +func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error) { signerName := fmt.Sprintf("%s_@%d", r.SignerName, time.Now().Unix()) + if keyGen != nil { + return crypto.NewSigningCertificate(signerName, keyGen, + crypto.WithSigner(signer), + crypto.WithLifetime(validity), + ) + } return crypto.MakeCAConfigForDuration(signerName, validity, signer) } +// PeerRotation creates certificates used for both server and client authentication +// (e.g., etcd peer certificates). It uses CertificateTypePeer for PKI profile +// resolution, which selects the stronger of the serving and client key configurations. +// +// When keyGen is non-nil (ConfigurablePKI enabled), it calls NewPeerCertificate +// which requires UserInfo for the client identity. When keyGen is nil (legacy), +// it falls back to MakeServerCertForDuration with an extension function that +// sets both ClientAuth and ServerAuth ExtKeyUsages. +type PeerRotation struct { + Hostnames ServingHostnameFunc + UserInfo user.Info + CertificateExtensionFn []crypto.CertificateExtensionFunc + HostnamesChanged <-chan struct{} +} + +func (r *PeerRotation) CertificateType() pki.CertificateType { + return pki.CertificateTypePeer +} + +func (r *PeerRotation) NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error) { + hostnames := r.Hostnames() + if len(hostnames) == 0 { + return nil, fmt.Errorf("no hostnames set") + } + if keyGen != nil { + if r.UserInfo == nil { + return nil, fmt.Errorf("PeerRotation requires UserInfo for configurable PKI certificates") + } + return signer.NewPeerCertificate( + sets.New(hostnames...), r.UserInfo, keyGen, + crypto.WithLifetime(validity), + crypto.WithExtensions(r.CertificateExtensionFn...), + ) + } + // Legacy path: use server cert template with extension fn to add both ExtKeyUsages. + // The subject CN comes from the first hostname (preserves current behavior). + peerExtFn := func(cert *x509.Certificate) error { + cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} + return nil + } + extensions := append(append([]crypto.CertificateExtensionFunc{}, r.CertificateExtensionFn...), peerExtFn) + return signer.MakeServerCertForDuration(sets.New(hostnames...), validity, extensions...) +} + +func (r *PeerRotation) RecheckChannel() <-chan struct{} { + return r.HostnamesChanged +} + +func (r *PeerRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, creationRequired bool) string { + reason := needNewTargetCertKeyPair(currentCertSecret, signer, caBundleCerts, refresh, refreshOnlyWhenExpired, creationRequired) + if len(reason) > 0 { + return reason + } + return missingHostnames(currentCertSecret.Annotations, r.Hostnames()) +} + +func (r *PeerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string { + return setHostnameAnnotations(cert, annotations) +} + func (r *SignerRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, exists bool) string { return needNewTargetCertKeyPair(currentCertSecret, signer, caBundleCerts, refresh, refreshOnlyWhenExpired, exists) } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go b/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go index fd34ec6201..f4a0943e51 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go @@ -123,11 +123,22 @@ type UpdateOperatorSpecFunc func(spec *operatorv1.OperatorSpec) error func UpdateSpec(ctx context.Context, client OperatorClient, updateFuncs ...UpdateOperatorSpecFunc) (*operatorv1.OperatorSpec, bool, error) { updated := false var operatorSpec *operatorv1.OperatorSpec + previousResourceVersion := "" err := retry.RetryOnConflict(retry.DefaultBackoff, func() error { oldSpec, _, resourceVersion, err := client.GetOperatorState() if err != nil { return err } + if resourceVersion == previousResourceVersion { + // Lister is stale (e.g. after a conflict or restart); do a live GET to get the current resourceVersion. + listerResourceVersion := resourceVersion + oldSpec, _, resourceVersion, err = client.GetOperatorStateWithQuorum(ctx) + if err != nil { + return err + } + klog.V(2).Infof("lister was stale at resourceVersion=%v, live get showed resourceVersion=%v", listerResourceVersion, resourceVersion) + } + previousResourceVersion = resourceVersion newSpec := oldSpec.DeepCopy() for _, update := range updateFuncs { diff --git a/vendor/github.com/openshift/library-go/pkg/pki/profile.go b/vendor/github.com/openshift/library-go/pkg/pki/profile.go new file mode 100644 index 0000000000..6f534c94f0 --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/pki/profile.go @@ -0,0 +1,114 @@ +package pki + +import ( + "fmt" + + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + "github.com/openshift/library-go/pkg/crypto" +) + +// DefaultPKIProfile returns the default PKIProfile for OpenShift. +func DefaultPKIProfile() configv1alpha1.PKIProfile { + return configv1alpha1.PKIProfile{ + Defaults: configv1alpha1.DefaultCertificateConfig{ + Key: configv1alpha1.KeyConfig{ + Algorithm: configv1alpha1.KeyAlgorithmECDSA, + ECDSA: configv1alpha1.ECDSAKeyConfig{Curve: configv1alpha1.ECDSACurveP256}, + }, + }, + SignerCertificates: configv1alpha1.CertificateConfig{ + Key: configv1alpha1.KeyConfig{ + Algorithm: configv1alpha1.KeyAlgorithmECDSA, + ECDSA: configv1alpha1.ECDSAKeyConfig{Curve: configv1alpha1.ECDSACurveP384}, + }, + }, + } +} + +// KeyPairGeneratorFromAPI converts a configv1alpha1.KeyConfig to a +// crypto.KeyPairGenerator. +func KeyPairGeneratorFromAPI(apiKey configv1alpha1.KeyConfig) (crypto.KeyPairGenerator, error) { + switch apiKey.Algorithm { + case configv1alpha1.KeyAlgorithmRSA: + return crypto.RSAKeyPairGenerator{ + Bits: int(apiKey.RSA.KeySize), + }, nil + case configv1alpha1.KeyAlgorithmECDSA: + curve, err := ecdsaCurveFromAPI(apiKey.ECDSA.Curve) + if err != nil { + return nil, err + } + return crypto.ECDSAKeyPairGenerator{ + Curve: curve, + }, nil + default: + return nil, fmt.Errorf("unknown key algorithm: %q", apiKey.Algorithm) + } +} + +// ecdsaCurveFromAPI converts an API ECDSA curve name to the crypto package's ECDSACurve. +func ecdsaCurveFromAPI(c configv1alpha1.ECDSACurve) (crypto.ECDSACurve, error) { + switch c { + case configv1alpha1.ECDSACurveP256: + return crypto.P256, nil + case configv1alpha1.ECDSACurveP384: + return crypto.P384, nil + case configv1alpha1.ECDSACurveP521: + return crypto.P521, nil + default: + return "", fmt.Errorf("unknown ECDSA curve: %q", c) + } +} + +// securityBits returns the NIST security strength in bits for a given +// KeyPairGenerator. For RSA, values come from the rsaSecurityStrength table. +// For ECDSA, security strength is half the key size (fixed per curve). +func securityBits(g crypto.KeyPairGenerator) int { + switch g := g.(type) { + case crypto.RSAKeyPairGenerator: + return rsaSecurityStrength[g.Bits] + case crypto.ECDSAKeyPairGenerator: + switch g.Curve { + case crypto.P256: + return 128 + case crypto.P384: + return 192 + case crypto.P521: + return 256 + } + } + return 0 +} + +// rsaSecurityStrength maps RSA key sizes (2048-8192 in 1024-bit increments) +// to their security strengths from NIST SP 800-56B Rev 2 Table 2 or +// pre-calculated from the GNFS complexity estimate. +var rsaSecurityStrength = map[int]int{ + 2048: 112, + 3072: 128, + 4096: 152, + 5120: 168, + 6144: 176, + 7168: 192, + 8192: 200, +} + +// strongerKeyPairGenerator returns whichever of a or b provides higher NIST +// security strength. In case of a tie, ECDSA is preferred over RSA. +func strongerKeyPairGenerator(a, b crypto.KeyPairGenerator) crypto.KeyPairGenerator { + sa, sb := securityBits(a), securityBits(b) + if sb > sa { + return b + } + if sa > sb { + return a + } + // Equal strength: prefer ECDSA over RSA. + if _, ok := a.(crypto.ECDSAKeyPairGenerator); ok { + return a + } + if _, ok := b.(crypto.ECDSAKeyPairGenerator); ok { + return b + } + return a +} diff --git a/vendor/github.com/openshift/library-go/pkg/pki/provider.go b/vendor/github.com/openshift/library-go/pkg/pki/provider.go new file mode 100644 index 0000000000..2007aa890e --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/pki/provider.go @@ -0,0 +1,75 @@ +package pki + +import ( + "fmt" + + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + configv1alpha1listers "github.com/openshift/client-go/config/listers/config/v1alpha1" +) + +// PKIProfileProvider provides the PKIProfile that determines certificate key +// configuration. A nil profile indicates Unmanaged mode where the caller +// should use its own defaults. +type PKIProfileProvider interface { + PKIProfile() (*configv1alpha1.PKIProfile, error) +} + +// StaticPKIProfileProvider is a PKIProfileProvider backed by a fixed PKIProfile. +type StaticPKIProfileProvider struct { + profile *configv1alpha1.PKIProfile +} + +// NewStaticPKIProfileProvider returns a PKIProfileProvider backed by the given +// profile. A nil profile signals Unmanaged mode. +func NewStaticPKIProfileProvider(profile *configv1alpha1.PKIProfile) *StaticPKIProfileProvider { + return &StaticPKIProfileProvider{profile: profile} +} + +// PKIProfile returns the static PKIProfile. +func (s *StaticPKIProfileProvider) PKIProfile() (*configv1alpha1.PKIProfile, error) { + return s.profile, nil +} + +// ListerPKIProfileProvider is a PKIProfileProvider that reads a named +// cluster-scoped PKI resource via a lister. +type ListerPKIProfileProvider struct { + lister configv1alpha1listers.PKILister + resourceName string +} + +// NewClusterPKIProfileProvider creates a PKIProfileProvider that resolves the +// PKIProfile from the OpenShift cluster configuration PKI resource. +func NewClusterPKIProfileProvider(lister configv1alpha1listers.PKILister) *ListerPKIProfileProvider { + return NewListerPKIProfileProvider(lister, "cluster") +} + +// NewListerPKIProfileProvider returns a PKIProfileProvider that reads the +// named cluster-scoped PKI resource via a lister. +func NewListerPKIProfileProvider(lister configv1alpha1listers.PKILister, resourceName string) *ListerPKIProfileProvider { + return &ListerPKIProfileProvider{ + lister: lister, + resourceName: resourceName, + } +} + +// PKIProfile reads the PKI resource and returns the profile based on its +// certificate management mode. Returns nil for Unmanaged mode. +func (l *ListerPKIProfileProvider) PKIProfile() (*configv1alpha1.PKIProfile, error) { + pki, err := l.lister.Get(l.resourceName) + if err != nil { + return nil, fmt.Errorf("failed to get PKI resource %q: %w", l.resourceName, err) + } + + switch pki.Spec.CertificateManagement.Mode { + case configv1alpha1.PKICertificateManagementModeUnmanaged: + return nil, nil + case configv1alpha1.PKICertificateManagementModeDefault: + profile := DefaultPKIProfile() + return &profile, nil + case configv1alpha1.PKICertificateManagementModeCustom: + profile := pki.Spec.CertificateManagement.Custom.PKIProfile + return &profile, nil + default: + return nil, fmt.Errorf("unknown PKI certificate management mode: %q", pki.Spec.CertificateManagement.Mode) + } +} diff --git a/vendor/github.com/openshift/library-go/pkg/pki/resolve.go b/vendor/github.com/openshift/library-go/pkg/pki/resolve.go new file mode 100644 index 0000000000..1154fd48ea --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/pki/resolve.go @@ -0,0 +1,77 @@ +package pki + +import ( + "fmt" + + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + "github.com/openshift/library-go/pkg/crypto" +) + +// CertificateConfig holds the resolved configuration for a specific certificate. +// Currently contains key configuration; will grow as the PKI API expands to +// include additional certificate properties. +type CertificateConfig struct { + // Key is the resolved key pair generator. + Key crypto.KeyPairGenerator +} + +// ResolveCertificateConfig resolves the effective certificate configuration +// for a given certificate type and name from the PKI profile. +// +// Returns nil if the provider returns a nil profile (Unmanaged mode), +// indicating that the caller should use its own default behavior. +// +// The name parameter is reserved for future per-certificate overrides and +// can be used for metrics and logging. +func ResolveCertificateConfig(provider PKIProfileProvider, certType CertificateType, name string) (*CertificateConfig, error) { + profile, err := provider.PKIProfile() + if err != nil { + return nil, fmt.Errorf("resolving PKI profile for %s certificate %q: %w", certType, name, err) + } + if profile == nil { + return nil, nil + } + + switch certType { + case CertificateTypeSigner: + return resolveKeyConfig(profile.Defaults, profile.SignerCertificates) + case CertificateTypeServing: + return resolveKeyConfig(profile.Defaults, profile.ServingCertificates) + case CertificateTypeClient: + return resolveKeyConfig(profile.Defaults, profile.ClientCertificates) + case CertificateTypePeer: + return resolvePeerKeyConfig(profile) + default: + return nil, fmt.Errorf("unknown certificate type: %q", certType) + } +} + +// resolveKeyConfig returns the override KeyConfig if its Algorithm is set, +// otherwise falls back to the default. +func resolveKeyConfig(defaults configv1alpha1.DefaultCertificateConfig, override configv1alpha1.CertificateConfig) (*CertificateConfig, error) { + apiKey := defaults.Key + if override.Key.Algorithm != "" { + apiKey = override.Key + } + g, err := KeyPairGeneratorFromAPI(apiKey) + if err != nil { + return nil, err + } + return &CertificateConfig{Key: g}, nil +} + +// resolvePeerKeyConfig resolves both the serving and client configs and +// returns whichever has higher NIST security strength. +func resolvePeerKeyConfig(profile *configv1alpha1.PKIProfile) (*CertificateConfig, error) { + servingCfg, err := resolveKeyConfig(profile.Defaults, profile.ServingCertificates) + if err != nil { + return nil, fmt.Errorf("resolving serving config for peer: %w", err) + } + clientCfg, err := resolveKeyConfig(profile.Defaults, profile.ClientCertificates) + if err != nil { + return nil, fmt.Errorf("resolving client config for peer: %w", err) + } + return &CertificateConfig{ + Key: strongerKeyPairGenerator(servingCfg.Key, clientCfg.Key), + }, nil +} diff --git a/vendor/github.com/openshift/library-go/pkg/pki/types.go b/vendor/github.com/openshift/library-go/pkg/pki/types.go new file mode 100644 index 0000000000..2cf8282255 --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/pki/types.go @@ -0,0 +1,23 @@ +package pki + +// CertificateType identifies the category of a certificate for profile resolution. +type CertificateType string + +const ( + // CertificateTypeSigner identifies certificate authority (CA) certificates + // that sign other certificates. + CertificateTypeSigner CertificateType = "signer" + + // CertificateTypeServing identifies TLS server certificates used to serve + // HTTPS endpoints. + CertificateTypeServing CertificateType = "serving" + + // CertificateTypeClient identifies client authentication certificates used + // to authenticate to servers. + CertificateTypeClient CertificateType = "client" + + // CertificateTypePeer identifies certificates used for both server and client + // authentication. The resolved key configuration is the stronger of the + // serving and client configurations. + CertificateTypePeer CertificateType = "peer" +) diff --git a/vendor/k8s.io/code-generator/generate-groups.sh b/vendor/k8s.io/code-generator/generate-groups.sh old mode 100644 new mode 100755 diff --git a/vendor/k8s.io/code-generator/generate-internal-groups.sh b/vendor/k8s.io/code-generator/generate-internal-groups.sh old mode 100644 new mode 100755 diff --git a/vendor/modules.txt b/vendor/modules.txt index 2a6676c74f..486baf0cde 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1269,7 +1269,7 @@ github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo github.com/openshift-eng/openshift-tests-extension/pkg/junit github.com/openshift-eng/openshift-tests-extension/pkg/util/sets github.com/openshift-eng/openshift-tests-extension/pkg/version -# github.com/openshift/api v0.0.0-20260326111139-30c2ef7a272e +# github.com/openshift/api v0.0.0-20260408160412-464776f95207 ## explicit; go 1.25.0 github.com/openshift/api github.com/openshift/api/annotations @@ -1294,6 +1294,7 @@ github.com/openshift/api/config/v1alpha2 github.com/openshift/api/console github.com/openshift/api/console/v1 github.com/openshift/api/etcd +github.com/openshift/api/etcd/v1 github.com/openshift/api/etcd/v1alpha1 github.com/openshift/api/features github.com/openshift/api/helm @@ -1506,7 +1507,7 @@ github.com/openshift/client-go/user/applyconfigurations/user/v1 github.com/openshift/client-go/user/clientset/versioned github.com/openshift/client-go/user/clientset/versioned/scheme github.com/openshift/client-go/user/clientset/versioned/typed/user/v1 -# github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6 +# github.com/openshift/library-go v0.0.0-20260409165127-c57da2bf5720 ## explicit; go 1.25.0 github.com/openshift/library-go/pkg/apiserver/jsonpatch github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer @@ -1531,6 +1532,7 @@ github.com/openshift/library-go/pkg/operator/resource/resourcemerge github.com/openshift/library-go/pkg/operator/resource/resourceread github.com/openshift/library-go/pkg/operator/resourcesynccontroller github.com/openshift/library-go/pkg/operator/v1helpers +github.com/openshift/library-go/pkg/pki # github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b ## explicit; go 1.18 github.com/openshift/runtime-utils/pkg/registries From 1949b4015b2548b34f38912daa5eab47b854beac Mon Sep 17 00:00:00 2001 From: Luis Sanchez Date: Thu, 9 Apr 2026 22:30:59 -0400 Subject: [PATCH 2/2] enable configurable PKI for cert rotation --- cmd/machine-config-controller/start.go | 2 + .../certrotation/certrotation_controller.go | 49 +++++++++++++------ .../certrotation_controller_test.go | 2 +- .../k8s.io/code-generator/generate-groups.sh | 0 .../generate-internal-groups.sh | 0 5 files changed, 36 insertions(+), 17 deletions(-) mode change 100755 => 100644 vendor/k8s.io/code-generator/generate-groups.sh mode change 100755 => 100644 vendor/k8s.io/code-generator/generate-internal-groups.sh diff --git a/cmd/machine-config-controller/start.go b/cmd/machine-config-controller/start.go index 71a547e63c..085958a5ab 100644 --- a/cmd/machine-config-controller/start.go +++ b/cmd/machine-config-controller/start.go @@ -107,6 +107,8 @@ func runStartCmd(_ *cobra.Command, _ []string) { ctrlctx.KubeNamespacedInformerFactory.Core().V1().Secrets(), ctrlctx.KubeNamespacedInformerFactory.Core().V1().ConfigMaps(), ctrlctx.ConfigInformerFactory.Config().V1().Infrastructures(), + ctrlctx.ConfigInformerFactory, + ctrlctx.FeatureGatesHandler, ) if err != nil { klog.Fatalf("unable to start cert rotation controller: %v", err) diff --git a/pkg/controller/certrotation/certrotation_controller.go b/pkg/controller/certrotation/certrotation_controller.go index 823e347eb3..168c69f063 100644 --- a/pkg/controller/certrotation/certrotation_controller.go +++ b/pkg/controller/certrotation/certrotation_controller.go @@ -24,12 +24,15 @@ import ( "k8s.io/utils/clock" configv1 "github.com/openshift/api/config/v1" + features "github.com/openshift/api/features" configclientset "github.com/openshift/client-go/config/clientset/versioned" + configinformersexternal "github.com/openshift/client-go/config/informers/externalversions" machineclientset "github.com/openshift/client-go/machine/clientset/versioned" "github.com/openshift/library-go/pkg/controller/factory" "github.com/openshift/library-go/pkg/operator/certrotation" "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/pki" aroclientset "github.com/Azure/ARO-RP/pkg/operator/clientset/versioned" @@ -82,10 +85,25 @@ func New( mcoSecretInformer coreinformersv1.SecretInformer, mcoConfigMapInfomer coreinformersv1.ConfigMapInformer, infraInformer configinformers.InfrastructureInformer, + configInformerFactory configinformersexternal.SharedInformerFactory, + featureGatesHandler ctrlcommon.FeatureGatesHandler, ) (*CertRotationController, error) { recorder := events.NewLoggingEventRecorder(componentName, clock.RealClock{}) + cachesToSync := []cache.InformerSynced{ + maoSecretInformer.Informer().HasSynced, + mcoSecretInformer.Informer().HasSynced, + mcoConfigMapInfomer.Informer().HasSynced, + infraInformer.Informer().HasSynced, + } + + var pkiProfileProvider pki.PKIProfileProvider + if configInformerFactory != nil && featureGatesHandler != nil && featureGatesHandler.Enabled(features.FeatureGateConfigurablePKI) { + pkiProfileProvider = pki.NewClusterPKIProfileProvider(configInformerFactory.Config().V1alpha1().PKIs().Lister()) + cachesToSync = append(cachesToSync, configInformerFactory.Config().V1alpha1().PKIs().Informer().HasSynced) + } + c := &CertRotationController{ kubeClient: kubeClient, configClient: configClient, @@ -95,12 +113,7 @@ func New( mcoConfigMapInfomer: mcoConfigMapInfomer, mcoSecretLister: mcoSecretInformer.Lister(), maoSecretLister: maoSecretInformer.Lister(), - cachesToSync: []cache.InformerSynced{ - maoSecretInformer.Informer().HasSynced, - mcoSecretInformer.Informer().HasSynced, - mcoConfigMapInfomer.Informer().HasSynced, - infraInformer.Informer().HasSynced, - }, + cachesToSync: cachesToSync, hostnamesRotation: &DynamicServingRotation{hostnamesChanged: make(chan struct{}, 10)}, hostnamesQueue: workqueue.NewTypedRateLimitingQueueWithConfig( @@ -124,12 +137,14 @@ func New( JiraComponent: "Machine Config Operator", Description: "CA used to sign the MachineConfigServer TLS certificate", }, - Validity: mcsCAExpiry, - Refresh: mcsCARefresh, - Informer: mcoSecretInformer, - Lister: c.mcoSecretLister, - Client: kubeClient.CoreV1(), - EventRecorder: recorder, + Validity: mcsCAExpiry, + Refresh: mcsCARefresh, + CertificateName: "machine-config.machine-config-server-signer", + PKIProfileProvider: pkiProfileProvider, + Informer: mcoSecretInformer, + Lister: c.mcoSecretLister, + Client: kubeClient.CoreV1(), + EventRecorder: recorder, }, certrotation.CABundleConfigMap{ Namespace: ctrlcommon.MCONamespace, @@ -156,10 +171,12 @@ func New( Hostnames: c.hostnamesRotation.GetHostnames, HostnamesChanged: c.hostnamesRotation.hostnamesChanged, }, - Informer: mcoSecretInformer, - Lister: c.mcoSecretLister, - Client: kubeClient.CoreV1(), - EventRecorder: recorder, + CertificateName: "machine-config.machine-config-server-serving", + PKIProfileProvider: pkiProfileProvider, + Informer: mcoSecretInformer, + Lister: c.mcoSecretLister, + Client: kubeClient.CoreV1(), + EventRecorder: recorder, }, recorder, NewCertRotationStatusReporter(), diff --git a/pkg/controller/certrotation/certrotation_controller_test.go b/pkg/controller/certrotation/certrotation_controller_test.go index 231a1ea672..1d6f260789 100644 --- a/pkg/controller/certrotation/certrotation_controller_test.go +++ b/pkg/controller/certrotation/certrotation_controller_test.go @@ -111,7 +111,7 @@ func (f *fixture) newController() *CertRotationController { f.infraLister = append(f.infraLister, infra.(*configv1.Infrastructure)) } - c, err := New(f.kubeClient, f.configClient, f.machineClient, f.aroClient, f.k8sI.Core().V1().Secrets(), f.k8sI.Core().V1().Secrets(), f.k8sI.Core().V1().ConfigMaps(), f.infraInformer.Config().V1().Infrastructures()) + c, err := New(f.kubeClient, f.configClient, f.machineClient, f.aroClient, f.k8sI.Core().V1().Secrets(), f.k8sI.Core().V1().Secrets(), f.k8sI.Core().V1().ConfigMaps(), f.infraInformer.Config().V1().Infrastructures(), nil, nil) require.NoError(f.t, err) c.StartInformers() diff --git a/vendor/k8s.io/code-generator/generate-groups.sh b/vendor/k8s.io/code-generator/generate-groups.sh old mode 100755 new mode 100644 diff --git a/vendor/k8s.io/code-generator/generate-internal-groups.sh b/vendor/k8s.io/code-generator/generate-internal-groups.sh old mode 100755 new mode 100644