diff --git a/config/v1/types_apiserver.go b/config/v1/types_apiserver.go index 7de714ebfb6..f68138d4201 100644 --- a/config/v1/types_apiserver.go +++ b/config/v1/types_apiserver.go @@ -267,6 +267,110 @@ const ( EncryptionTypeKMS EncryptionType = "KMS" ) +// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryption,enum="";healthy;unhealthy;error +type KMSPluginHealthStatus string + +const ( + KMSPluginHealthStatusHealthy KMSPluginHealthStatus = "healthy" + + KMSPluginHealthStatusUnhealthy KMSPluginHealthStatus = "unhealthy" + + KMSPluginHealthStatusError KMSPluginHealthStatus = "error" +) + +// +openshift:compatibility-gen:level=1 +type KMSPluginHealthReport struct { + + // nodeName is the name of the node this instance of the plugin runs on. + // The combination of NodeName/KeyId makes this health report unique. + // The value must be at most 512 characters. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=512 + // +required + NodeName string `json:"nodeName,omitempty"` + + // keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + // This is not a cryptographic key used to encrypt/decrypt any resources. + // The value must be at most 512 characters. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=512 + // +required + KeyId string `json:"keyId,omitempty"` + + // status contains a health indicator for the respective KMS plugin + // The field can have three states: healthy, unhealthy, error. + // With error and unhealthy containing additional information in Detail. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=10 + // +required + Status KMSPluginHealthStatus `json:"status,omitempty"` + + // lastChecked is a timestamp of when the probe was last checked. + // +required + LastChecked metav1.Time `json:"lastChecked,omitempty"` + + // kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + // This is not a cryptographic key, but a unique representation of the KEK. + // +kubebuilder:validation:MinLength=0 + // +kubebuilder:validation:MaxLength=1024 + // +optional + KEKId *string `json:"kekId,omitempty"` + + // detail contains additional error/health information; omitted when healthy + // +kubebuilder:validation:MinLength=0 + // +kubebuilder:validation:MaxLength=1024 + // +optional + Detail *string `json:"detail,omitempty"` +} + +// +openshift:compatibility-gen:level=1 +type KMSPluginRotationStatus struct { + // kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + // This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + // +required + KEKId string `json:"kekId,omitempty"` + + // discoveryTime contains the time when the operator has detected a change in the status keyId, this + // is determined by all nodes agreeing on the same KEKid. + // This can be used to give additional time for key convergence or cache invalidation before a migration is started. + // When omitted, the KEKId has not been observed from all nodes yet. + // +optional + DiscoveryTime *metav1.Time `json:"discoveryTime,omitempty"` + + // migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + // in the KEKid. Will be empty when no migration has been triggered yet + // +optional + MigrationStartTime *metav1.Time `json:"migrationStartTime,omitempty"` + + // migrationFinishTime contains the time when the storage migration completed successfully. + // If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + // +optional + MigrationFinishTime *metav1.Time `json:"migrationFinishTime,omitempty"` +} + +// +openshift:compatibility-gen:level=1 +// +kubebuilder:validation:MinProperties=1 +type APIServerEncryptionStatus struct { + // healthReports contains all KMS plugin health reports for this APIServer. + // When omitted, no health reports are available. + // +optional + // +kubebuilder:validation:MinItems=0 + // +kubebuilder:validation:MaxItems=100 + HealthReports []KMSPluginHealthReport `json:"healthReports,omitempty"` + + // keyRotationStatus contains the status of the last three key rotations that were running. + // When omitted, no key rotations have been recorded. + // The list is limited to the 10 most recent rotation records. + // +optional + // +kubebuilder:validation:MinItems=0 + // +kubebuilder:validation:MaxItems=10 + // +listType=atomic + KeyRotationStatus []KMSPluginRotationStatus `json:"keyRotationStatus,omitempty"` +} + type APIServerStatus struct { } diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index 1a562b8582a..b2249e71c1f 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -56,6 +56,36 @@ func (in *APIServerEncryption) DeepCopy() *APIServerEncryption { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *APIServerEncryptionStatus) DeepCopyInto(out *APIServerEncryptionStatus) { + *out = *in + if in.HealthReports != nil { + in, out := &in.HealthReports, &out.HealthReports + *out = make([]KMSPluginHealthReport, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.KeyRotationStatus != nil { + in, out := &in.KeyRotationStatus, &out.KeyRotationStatus + *out = make([]KMSPluginRotationStatus, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIServerEncryptionStatus. +func (in *APIServerEncryptionStatus) DeepCopy() *APIServerEncryptionStatus { + if in == nil { + return nil + } + out := new(APIServerEncryptionStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *APIServerList) DeepCopyInto(out *APIServerList) { *out = *in @@ -3827,6 +3857,61 @@ func (in *KMSPluginConfig) DeepCopy() *KMSPluginConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSPluginHealthReport) DeepCopyInto(out *KMSPluginHealthReport) { + *out = *in + in.LastChecked.DeepCopyInto(&out.LastChecked) + if in.KEKId != nil { + in, out := &in.KEKId, &out.KEKId + *out = new(string) + **out = **in + } + if in.Detail != nil { + in, out := &in.Detail, &out.Detail + *out = new(string) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSPluginHealthReport. +func (in *KMSPluginHealthReport) DeepCopy() *KMSPluginHealthReport { + if in == nil { + return nil + } + out := new(KMSPluginHealthReport) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSPluginRotationStatus) DeepCopyInto(out *KMSPluginRotationStatus) { + *out = *in + if in.DiscoveryTime != nil { + in, out := &in.DiscoveryTime, &out.DiscoveryTime + *out = (*in).DeepCopy() + } + if in.MigrationStartTime != nil { + in, out := &in.MigrationStartTime, &out.MigrationStartTime + *out = (*in).DeepCopy() + } + if in.MigrationFinishTime != nil { + in, out := &in.MigrationFinishTime, &out.MigrationFinishTime + *out = (*in).DeepCopy() + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSPluginRotationStatus. +func (in *KMSPluginRotationStatus) DeepCopy() *KMSPluginRotationStatus { + if in == nil { + return nil + } + out := new(KMSPluginRotationStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KeystoneIdentityProvider) DeepCopyInto(out *KeystoneIdentityProvider) { *out = *in diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 819a2e41060..4d398015bd1 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -286,6 +286,15 @@ func (APIServerEncryption) SwaggerDoc() map[string]string { return map_APIServerEncryption } +var map_APIServerEncryptionStatus = map[string]string{ + "healthReports": "healthReports contains all KMS plugin health reports for this APIServer. When omitted, no health reports are available.", + "keyRotationStatus": "keyRotationStatus contains the status of the last three key rotations that were running. When omitted, no key rotations have been recorded. The list is limited to the 10 most recent rotation records.", +} + +func (APIServerEncryptionStatus) SwaggerDoc() map[string]string { + return map_APIServerEncryptionStatus +} + var map_APIServerList = map[string]string{ "": "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -346,6 +355,30 @@ func (AuditCustomRule) SwaggerDoc() map[string]string { return map_AuditCustomRule } +var map_KMSPluginHealthReport = map[string]string{ + "nodeName": "nodeName is the name of the node this instance of the plugin runs on. The combination of NodeName/KeyId makes this health report unique. The value must be at most 512 characters.", + "keyId": "keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. This is not a cryptographic key used to encrypt/decrypt any resources. The value must be at most 512 characters.", + "status": "status contains a health indicator for the respective KMS plugin The field can have three states: healthy, unhealthy, error. With error and unhealthy containing additional information in Detail.", + "lastChecked": "lastChecked is a timestamp of when the probe was last checked.", + "kekId": "kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. This is not a cryptographic key, but a unique representation of the KEK.", + "detail": "detail contains additional error/health information; omitted when healthy", +} + +func (KMSPluginHealthReport) SwaggerDoc() map[string]string { + return map_KMSPluginHealthReport +} + +var map_KMSPluginRotationStatus = map[string]string{ + "kekId": "kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. This id can change externally and tells OpenShift when to trigger a migration of the configured resources.", + "discoveryTime": "discoveryTime contains the time when the operator has detected a change in the status keyId, this is determined by all nodes agreeing on the same KEKid. This can be used to give additional time for key convergence or cache invalidation before a migration is started. When omitted, the KEKId has not been observed from all nodes yet.", + "migrationStartTime": "migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change in the KEKid. Will be empty when no migration has been triggered yet", + "migrationFinishTime": "migrationFinishTime contains the time when the storage migration completed successfully. If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress.", +} + +func (KMSPluginRotationStatus) SwaggerDoc() map[string]string { + return map_KMSPluginRotationStatus +} + var map_Authentication = map[string]string{ "": "Authentication specifies cluster-wide settings for authentication (like OAuth and webhook token authenticators). The canonical name of an instance is `cluster`.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index c3fd75ec19e..85f445a0fa3 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -158,6 +158,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/cloudnetwork/v1.CloudPrivateIPConfigStatus": schema_openshift_api_cloudnetwork_v1_CloudPrivateIPConfigStatus(ref), "github.com/openshift/api/config/v1.APIServer": schema_openshift_api_config_v1_APIServer(ref), "github.com/openshift/api/config/v1.APIServerEncryption": schema_openshift_api_config_v1_APIServerEncryption(ref), + "github.com/openshift/api/config/v1.APIServerEncryptionStatus": schema_openshift_api_config_v1_APIServerEncryptionStatus(ref), "github.com/openshift/api/config/v1.APIServerList": schema_openshift_api_config_v1_APIServerList(ref), "github.com/openshift/api/config/v1.APIServerNamedServingCert": schema_openshift_api_config_v1_APIServerNamedServingCert(ref), "github.com/openshift/api/config/v1.APIServerServingCerts": schema_openshift_api_config_v1_APIServerServingCerts(ref), @@ -318,6 +319,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.InsightsDataGatherSpec": schema_openshift_api_config_v1_InsightsDataGatherSpec(ref), "github.com/openshift/api/config/v1.IntermediateTLSProfile": schema_openshift_api_config_v1_IntermediateTLSProfile(ref), "github.com/openshift/api/config/v1.KMSPluginConfig": schema_openshift_api_config_v1_KMSPluginConfig(ref), + "github.com/openshift/api/config/v1.KMSPluginHealthReport": schema_openshift_api_config_v1_KMSPluginHealthReport(ref), + "github.com/openshift/api/config/v1.KMSPluginRotationStatus": schema_openshift_api_config_v1_KMSPluginRotationStatus(ref), "github.com/openshift/api/config/v1.KeystoneIdentityProvider": schema_openshift_api_config_v1_KeystoneIdentityProvider(ref), "github.com/openshift/api/config/v1.KubeClientConfig": schema_openshift_api_config_v1_KubeClientConfig(ref), "github.com/openshift/api/config/v1.KubevirtPlatformSpec": schema_openshift_api_config_v1_KubevirtPlatformSpec(ref), @@ -8982,6 +8985,53 @@ func schema_openshift_api_config_v1_APIServerEncryption(ref common.ReferenceCall } } +func schema_openshift_api_config_v1_APIServerEncryptionStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "healthReports": { + SchemaProps: spec.SchemaProps{ + Description: "healthReports contains all KMS plugin health reports for this APIServer. When omitted, no health reports are available.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.KMSPluginHealthReport"), + }, + }, + }, + }, + }, + "keyRotationStatus": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "keyRotationStatus contains the status of the last three key rotations that were running. When omitted, no key rotations have been recorded. The list is limited to the 10 most recent rotation records.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.KMSPluginRotationStatus"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.KMSPluginHealthReport", "github.com/openshift/api/config/v1.KMSPluginRotationStatus"}, + } +} + func schema_openshift_api_config_v1_APIServerList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -16242,6 +16292,102 @@ func schema_openshift_api_config_v1_KMSPluginConfig(ref common.ReferenceCallback } } +func schema_openshift_api_config_v1_KMSPluginHealthReport(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "nodeName": { + SchemaProps: spec.SchemaProps{ + Description: "nodeName is the name of the node this instance of the plugin runs on. The combination of NodeName/KeyId makes this health report unique. The value must be at most 512 characters.", + Type: []string{"string"}, + Format: "", + }, + }, + "keyId": { + SchemaProps: spec.SchemaProps{ + Description: "keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. This is not a cryptographic key used to encrypt/decrypt any resources. The value must be at most 512 characters.", + Type: []string{"string"}, + Format: "", + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status contains a health indicator for the respective KMS plugin The field can have three states: healthy, unhealthy, error. With error and unhealthy containing additional information in Detail.", + Type: []string{"string"}, + Format: "", + }, + }, + "lastChecked": { + SchemaProps: spec.SchemaProps{ + Description: "lastChecked is a timestamp of when the probe was last checked.", + Ref: ref(metav1.Time{}.OpenAPIModelName()), + }, + }, + "kekId": { + SchemaProps: spec.SchemaProps{ + Description: "kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. This is not a cryptographic key, but a unique representation of the KEK.", + Type: []string{"string"}, + Format: "", + }, + }, + "detail": { + SchemaProps: spec.SchemaProps{ + Description: "detail contains additional error/health information; omitted when healthy", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"nodeName", "keyId", "status", "lastChecked"}, + }, + }, + Dependencies: []string{ + metav1.Time{}.OpenAPIModelName()}, + } +} + +func schema_openshift_api_config_v1_KMSPluginRotationStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kekId": { + SchemaProps: spec.SchemaProps{ + Description: "kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. This id can change externally and tells OpenShift when to trigger a migration of the configured resources.", + Type: []string{"string"}, + Format: "", + }, + }, + "discoveryTime": { + SchemaProps: spec.SchemaProps{ + Description: "discoveryTime contains the time when the operator has detected a change in the status keyId, this is determined by all nodes agreeing on the same KEKid. This can be used to give additional time for key convergence or cache invalidation before a migration is started. When omitted, the KEKId has not been observed from all nodes yet.", + Ref: ref(metav1.Time{}.OpenAPIModelName()), + }, + }, + "migrationStartTime": { + SchemaProps: spec.SchemaProps{ + Description: "migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change in the KEKid. Will be empty when no migration has been triggered yet", + Ref: ref(metav1.Time{}.OpenAPIModelName()), + }, + }, + "migrationFinishTime": { + SchemaProps: spec.SchemaProps{ + Description: "migrationFinishTime contains the time when the storage migration completed successfully. If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress.", + Ref: ref(metav1.Time{}.OpenAPIModelName()), + }, + }, + }, + Required: []string{"kekId"}, + }, + }, + Dependencies: []string{ + metav1.Time{}.OpenAPIModelName()}, + } +} + func schema_openshift_api_config_v1_KeystoneIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -57900,11 +58046,18 @@ func schema_openshift_api_operator_v1_KubeAPIServerStatus(ref common.ReferenceCa }, }, }, + "encryptionStatus": { + SchemaProps: spec.SchemaProps{ + Description: "encryptionStatus contains status reports for the KMS plugin health and its key rotation.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.APIServerEncryptionStatus"), + }, + }, }, }, }, Dependencies: []string{ - "github.com/openshift/api/operator/v1.GenerationStatus", "github.com/openshift/api/operator/v1.NodeStatus", "github.com/openshift/api/operator/v1.OperatorCondition", "github.com/openshift/api/operator/v1.ServiceAccountIssuerStatus"}, + "github.com/openshift/api/config/v1.APIServerEncryptionStatus", "github.com/openshift/api/operator/v1.GenerationStatus", "github.com/openshift/api/operator/v1.NodeStatus", "github.com/openshift/api/operator/v1.OperatorCondition", "github.com/openshift/api/operator/v1.ServiceAccountIssuerStatus"}, } } @@ -60635,9 +60788,18 @@ func schema_openshift_api_operator_v1_OAuthAPIServerStatus(ref common.ReferenceC Format: "int32", }, }, + "encryptionStatus": { + SchemaProps: spec.SchemaProps{ + Description: "encryptionStatus contains status reports for the KMS plugin health and its key rotation.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.APIServerEncryptionStatus"), + }, + }, }, }, }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.APIServerEncryptionStatus"}, } } @@ -61230,11 +61392,18 @@ func schema_openshift_api_operator_v1_OpenShiftAPIServerStatus(ref common.Refere }, }, }, + "encryptionStatus": { + SchemaProps: spec.SchemaProps{ + Description: "encryptionStatus contains status reports for the KMS plugin health and its key rotation.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.APIServerEncryptionStatus"), + }, + }, }, }, }, Dependencies: []string{ - "github.com/openshift/api/operator/v1.GenerationStatus", "github.com/openshift/api/operator/v1.OperatorCondition"}, + "github.com/openshift/api/config/v1.APIServerEncryptionStatus", "github.com/openshift/api/operator/v1.GenerationStatus", "github.com/openshift/api/operator/v1.OperatorCondition"}, } } diff --git a/operator/v1/types_authentication.go b/operator/v1/types_authentication.go index 7cc22d1e4e3..20b3e9d09d6 100644 --- a/operator/v1/types_authentication.go +++ b/operator/v1/types_authentication.go @@ -1,6 +1,7 @@ package v1 import ( + v1 "github.com/openshift/api/config/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -49,6 +50,11 @@ type OAuthAPIServerStatus struct { // +optional // +kubebuilder:validation:Minimum=0 LatestAvailableRevision int32 `json:"latestAvailableRevision,omitempty"` + + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + // +optional + // +openshift:enable:FeatureGate=KMSEncryption + EncryptionStatus v1.APIServerEncryptionStatus `json:"encryptionStatus,omitempty,omitzero"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/operator/v1/types_kubeapiserver.go b/operator/v1/types_kubeapiserver.go index 1461f11a12a..eba51ed2034 100644 --- a/operator/v1/types_kubeapiserver.go +++ b/operator/v1/types_kubeapiserver.go @@ -1,6 +1,7 @@ package v1 import ( + v1 "github.com/openshift/api/config/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -63,6 +64,11 @@ type KubeAPIServerStatus struct { // +optional // +listType=atomic ServiceAccountIssuers []ServiceAccountIssuerStatus `json:"serviceAccountIssuers,omitempty"` + + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + // +optional + // +openshift:enable:FeatureGate=KMSEncryption + EncryptionStatus v1.APIServerEncryptionStatus `json:"encryptionStatus,omitempty,omitzero"` } type ServiceAccountIssuerStatus struct { diff --git a/operator/v1/types_openshiftapiserver.go b/operator/v1/types_openshiftapiserver.go index a96e033cb7b..e29160e2f63 100644 --- a/operator/v1/types_openshiftapiserver.go +++ b/operator/v1/types_openshiftapiserver.go @@ -1,6 +1,7 @@ package v1 import ( + v1 "github.com/openshift/api/config/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -39,6 +40,11 @@ type OpenShiftAPIServerSpec struct { type OpenShiftAPIServerStatus struct { OperatorStatus `json:",inline"` + + // encryptionStatus contains status reports for the KMS plugin health and its key rotation. + // +optional + // +openshift:enable:FeatureGate=KMSEncryption + EncryptionStatus v1.APIServerEncryptionStatus `json:"encryptionStatus,omitempty,omitzero"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..426a1f60455 --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,458 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml new file mode 100644 index 00000000000..3eb9d7d49e3 --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml @@ -0,0 +1,349 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..f990bb911c0 --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,458 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml similarity index 99% rename from operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml rename to operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml index 6d2d44026a4..fa02abd00f7 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml @@ -6,6 +6,7 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD name: kubeapiservers.operator.openshift.io spec: group: operator.openshift.io diff --git a/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..6b51208f241 --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,458 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..ef5ff90cc9b --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,323 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: openshiftapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: OpenShiftAPIServer + listKind: OpenShiftAPIServerList + plural: openshiftapiservers + singular: openshiftapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + OpenShift API Server. + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status defines the observed status of the OpenShift API Server. + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-Default.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-Default.crd.yaml new file mode 100644 index 00000000000..04e2b329dd2 --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-Default.crd.yaml @@ -0,0 +1,214 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: openshiftapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: OpenShiftAPIServer + listKind: OpenShiftAPIServerList + plural: openshiftapiservers + singular: openshiftapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + OpenShift API Server. + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status defines the observed status of the OpenShift API Server. + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..2d4dabe8b6c --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,323 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: openshiftapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: OpenShiftAPIServer + listKind: OpenShiftAPIServerList + plural: openshiftapiservers + singular: openshiftapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + OpenShift API Server. + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status defines the observed status of the OpenShift API Server. + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-OKD.crd.yaml similarity index 99% rename from payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers.crd.yaml rename to operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-OKD.crd.yaml index bb9b904fc52..6c0b86e190c 100644 --- a/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-OKD.crd.yaml @@ -6,6 +6,7 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD name: openshiftapiservers.operator.openshift.io spec: group: operator.openshift.io diff --git a/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..3390771e24a --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,323 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: openshiftapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: OpenShiftAPIServer + listKind: OpenShiftAPIServerList + plural: openshiftapiservers + singular: openshiftapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + OpenShift API Server. + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status defines the observed status of the OpenShift API Server. + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..fe68e0cf9ea --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml @@ -0,0 +1,328 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: authentications.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication provides information to configure an operator to manage authentication. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + oauthAPIServer: + description: oauthAPIServer holds status specific only to oauth-apiserver + properties: + encryptionStatus: + description: encryptionStatus contains status reports for the + KMS plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health + information; omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the + probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + latestAvailableRevision: + description: |- + latestAvailableRevision is the latest revision used as suffix of revisioned + secrets like encryption-config. A new revision causes a new deployment of pods. + format: int32 + minimum: 0 + type: integer + type: object + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-Default.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-Default.crd.yaml new file mode 100644 index 00000000000..49a08abc057 --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-Default.crd.yaml @@ -0,0 +1,219 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: authentications.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication provides information to configure an operator to manage authentication. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + oauthAPIServer: + description: oauthAPIServer holds status specific only to oauth-apiserver + properties: + latestAvailableRevision: + description: |- + latestAvailableRevision is the latest revision used as suffix of revisioned + secrets like encryption-config. A new revision causes a new deployment of pods. + format: int32 + minimum: 0 + type: integer + type: object + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..57144dd9f4d --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,328 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: authentications.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication provides information to configure an operator to manage authentication. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + oauthAPIServer: + description: oauthAPIServer holds status specific only to oauth-apiserver + properties: + encryptionStatus: + description: encryptionStatus contains status reports for the + KMS plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health + information; omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the + probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + latestAvailableRevision: + description: |- + latestAvailableRevision is the latest revision used as suffix of revisioned + secrets like encryption-config. A new revision causes a new deployment of pods. + format: int32 + minimum: 0 + type: integer + type: object + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-OKD.crd.yaml similarity index 99% rename from operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications.crd.yaml rename to operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-OKD.crd.yaml index 029c91ac0fb..d12f5239d13 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-OKD.crd.yaml @@ -5,6 +5,7 @@ metadata: api-approved.openshift.io: https://github.com/openshift/api/pull/475 api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD name: authentications.operator.openshift.io spec: group: operator.openshift.io diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..f4ae3a3ba4e --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,328 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: authentications.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication provides information to configure an operator to manage authentication. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + oauthAPIServer: + description: oauthAPIServer holds status specific only to oauth-apiserver + properties: + encryptionStatus: + description: encryptionStatus contains status reports for the + KMS plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health + information; omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the + probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + latestAvailableRevision: + description: |- + latestAvailableRevision is the latest revision used as suffix of revisioned + secrets like encryption-config. A new revision causes a new deployment of pods. + format: int32 + minimum: 0 + type: integer + type: object + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.deepcopy.go b/operator/v1/zz_generated.deepcopy.go index 3d3c8f4f825..1132205481c 100644 --- a/operator/v1/zz_generated.deepcopy.go +++ b/operator/v1/zz_generated.deepcopy.go @@ -338,7 +338,7 @@ func (in *AuthenticationSpec) DeepCopy() *AuthenticationSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuthenticationStatus) DeepCopyInto(out *AuthenticationStatus) { *out = *in - out.OAuthAPIServer = in.OAuthAPIServer + in.OAuthAPIServer.DeepCopyInto(&out.OAuthAPIServer) in.OperatorStatus.DeepCopyInto(&out.OperatorStatus) return } @@ -2838,6 +2838,7 @@ func (in *KubeAPIServerStatus) DeepCopyInto(out *KubeAPIServerStatus) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + in.EncryptionStatus.DeepCopyInto(&out.EncryptionStatus) return } @@ -4038,6 +4039,7 @@ func (in *NodeStatus) DeepCopy() *NodeStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OAuthAPIServerStatus) DeepCopyInto(out *OAuthAPIServerStatus) { *out = *in + in.EncryptionStatus.DeepCopyInto(&out.EncryptionStatus) return } @@ -4287,6 +4289,7 @@ func (in *OpenShiftAPIServerSpec) DeepCopy() *OpenShiftAPIServerSpec { func (in *OpenShiftAPIServerStatus) DeepCopyInto(out *OpenShiftAPIServerStatus) { *out = *in in.OperatorStatus.DeepCopyInto(&out.OperatorStatus) + in.EncryptionStatus.DeepCopyInto(&out.EncryptionStatus) return } diff --git a/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/operator/v1/zz_generated.featuregated-crd-manifests.yaml index aaf09729085..38cf1f932fe 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests.yaml @@ -5,7 +5,8 @@ authentications.operator.openshift.io: CRDName: authentications.operator.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - KMSEncryption FilenameOperatorName: authentication FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_50" @@ -221,6 +222,7 @@ kubeapiservers.operator.openshift.io: Category: coreoperators FeatureGates: - EventTTL + - KMSEncryption FilenameOperatorName: kube-apiserver FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_20" @@ -375,7 +377,8 @@ openshiftapiservers.operator.openshift.io: CRDName: openshiftapiservers.operator.openshift.io Capability: "" Category: coreoperators - FeatureGates: [] + FeatureGates: + - KMSEncryption FilenameOperatorName: openshift-apiserver FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_30" diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/authentications.operator.openshift.io/KMSEncryption.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/authentications.operator.openshift.io/KMSEncryption.yaml new file mode 100644 index 00000000000..c29eef2d4f9 --- /dev/null +++ b/operator/v1/zz_generated.featuregated-crd-manifests/authentications.operator.openshift.io/KMSEncryption.yaml @@ -0,0 +1,330 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/filename-cvo-runlevel: "0000_50" + api.openshift.io/filename-operator: authentication + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/KMSEncryption: "true" + include.release.openshift.io/self-managed-high-availability: "true" + name: authentications.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication provides information to configure an operator to manage authentication. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + oauthAPIServer: + description: oauthAPIServer holds status specific only to oauth-apiserver + properties: + encryptionStatus: + description: encryptionStatus contains status reports for the + KMS plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health + information; omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the + probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + latestAvailableRevision: + description: |- + latestAvailableRevision is the latest revision used as suffix of revisioned + secrets like encryption-config. A new revision causes a new deployment of pods. + format: int32 + minimum: 0 + type: integer + type: object + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/kubeapiservers.operator.openshift.io/KMSEncryption.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/kubeapiservers.operator.openshift.io/KMSEncryption.yaml new file mode 100644 index 00000000000..1ef2cbed146 --- /dev/null +++ b/operator/v1/zz_generated.featuregated-crd-manifests/kubeapiservers.operator.openshift.io/KMSEncryption.yaml @@ -0,0 +1,444 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/filename-cvo-runlevel: "0000_20" + api.openshift.io/filename-operator: kube-apiserver + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/KMSEncryption: "true" + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/openshiftapiservers.operator.openshift.io/KMSEncryption.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/openshiftapiservers.operator.openshift.io/KMSEncryption.yaml new file mode 100644 index 00000000000..d7d6a4d96bc --- /dev/null +++ b/operator/v1/zz_generated.featuregated-crd-manifests/openshiftapiservers.operator.openshift.io/KMSEncryption.yaml @@ -0,0 +1,323 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/filename-cvo-runlevel: "0000_30" + api.openshift.io/filename-operator: openshift-apiserver + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/KMSEncryption: "true" + name: openshiftapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: OpenShiftAPIServer + listKind: OpenShiftAPIServerList + plural: openshiftapiservers + singular: openshiftapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + OpenShift API Server. + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status defines the observed status of the OpenShift API Server. + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go index c3ed726028d..2a09c3c05a8 100644 --- a/operator/v1/zz_generated.swagger_doc_generated.go +++ b/operator/v1/zz_generated.swagger_doc_generated.go @@ -137,6 +137,7 @@ func (AuthenticationStatus) SwaggerDoc() map[string]string { var map_OAuthAPIServerStatus = map[string]string{ "latestAvailableRevision": "latestAvailableRevision is the latest revision used as suffix of revisioned secrets like encryption-config. A new revision causes a new deployment of pods.", + "encryptionStatus": "encryptionStatus contains status reports for the KMS plugin health and its key rotation.", } func (OAuthAPIServerStatus) SwaggerDoc() map[string]string { @@ -1327,6 +1328,7 @@ func (KubeAPIServerSpec) SwaggerDoc() map[string]string { var map_KubeAPIServerStatus = map[string]string{ "serviceAccountIssuers": "serviceAccountIssuers tracks history of used service account issuers. The item without expiration time represents the currently used service account issuer. The other items represents service account issuers that were used previously and are still being trusted. The default expiration for the items is set by the platform and it defaults to 24h. see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection", + "encryptionStatus": "encryptionStatus contains status reports for the KMS plugin health and its key rotation.", } func (KubeAPIServerStatus) SwaggerDoc() map[string]string { @@ -2080,6 +2082,14 @@ func (OpenShiftAPIServerList) SwaggerDoc() map[string]string { return map_OpenShiftAPIServerList } +var map_OpenShiftAPIServerStatus = map[string]string{ + "encryptionStatus": "encryptionStatus contains status reports for the KMS plugin health and its key rotation.", +} + +func (OpenShiftAPIServerStatus) SwaggerDoc() map[string]string { + return map_OpenShiftAPIServerStatus +} + var map_OpenShiftControllerManager = map[string]string{ "": "OpenShiftControllerManager provides information to configure an operator to manage openshift-controller-manager.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", diff --git a/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..426a1f60455 --- /dev/null +++ b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,458 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml new file mode 100644 index 00000000000..3eb9d7d49e3 --- /dev/null +++ b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml @@ -0,0 +1,349 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..f990bb911c0 --- /dev/null +++ b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,458 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml similarity index 99% rename from payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml rename to payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml index 6d2d44026a4..fa02abd00f7 100644 --- a/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml +++ b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml @@ -6,6 +6,7 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD name: kubeapiservers.operator.openshift.io spec: group: operator.openshift.io diff --git a/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..6b51208f241 --- /dev/null +++ b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,458 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: kubeapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: KubeAPIServer + listKind: KubeAPIServerList + plural: kubeapiservers + singular: kubeapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeAPIServer provides information to configure an operator to manage kube-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + Kubernetes API Server + properties: + eventTTLMinutes: + description: |- + eventTTLMinutes specifies the amount of time that the events are stored before being deleted. + The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). + + Lowering this value will reduce the storage required in etcd. Note that this setting will only apply + to new events being created and will not update existing events. + + When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. + The current default value is 3h (180 minutes). + format: int32 + maximum: 180 + minimum: 5 + type: integer + failedRevisionLimit: + description: |- + failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + forceRedeploymentReason: + description: |- + forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. + This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work + this time instead of failing again on the same config. + type: string + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Force)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + succeededRevisionLimit: + description: |- + succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api + -1 = unlimited, 0 or unset = 5 (default) + format: int32 + type: integer + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the Kubernetes + API Server + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + latestAvailableRevisionReason: + description: latestAvailableRevisionReason describe the detailed reason + for the most recent deployment + type: string + nodeStatuses: + description: nodeStatuses track the deployment values and errors across + individual nodes + items: + description: NodeStatus provides information about the current state + of a particular node managed by this operator. + properties: + currentRevision: + description: |- + currentRevision is the generation of the most recently successful deployment. + Can not be set on creation of a nodeStatus. Updates must only increase the value. + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + lastFailedCount: + description: lastFailedCount is how often the installer pod + of the last failed revision failed. + type: integer + lastFailedReason: + description: lastFailedReason is a machine readable failure + reason string. + type: string + lastFailedRevision: + description: lastFailedRevision is the generation of the deployment + we tried and failed to deploy. + format: int32 + type: integer + lastFailedRevisionErrors: + description: lastFailedRevisionErrors is a list of human readable + errors during the failed deployment referenced in lastFailedRevision. + items: + type: string + type: array + x-kubernetes-list-type: atomic + lastFailedTime: + description: lastFailedTime is the time the last failed revision + failed the last time. + format: date-time + type: string + lastFallbackCount: + description: lastFallbackCount is how often a fallback to a + previous revision happened. + type: integer + nodeName: + description: nodeName is the name of the node + type: string + targetRevision: + description: |- + targetRevision is the generation of the deployment we're trying to apply. + Can not be set on creation of a nodeStatus. + format: int32 + type: integer + required: + - nodeName + type: object + x-kubernetes-validations: + - fieldPath: .currentRevision + message: cannot be unset once set + rule: has(self.currentRevision) || !has(oldSelf.currentRevision) + - fieldPath: .currentRevision + message: currentRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.currentRevision) + - fieldPath: .targetRevision + message: targetRevision can not be set on creation of a nodeStatus + optionalOldSelf: true + rule: oldSelf.hasValue() || !has(self.targetRevision) + type: array + x-kubernetes-list-map-keys: + - nodeName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: no more than 1 node status may have a nonzero targetRevision + rule: size(self.filter(status, status.?targetRevision.orValue(0) + != 0)) <= 1 + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + serviceAccountIssuers: + description: |- + serviceAccountIssuers tracks history of used service account issuers. + The item without expiration time represents the currently used service account issuer. + The other items represents service account issuers that were used previously and are still being trusted. + The default expiration for the items is set by the platform and it defaults to 24h. + see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection + items: + properties: + expirationTime: + description: |- + expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list + of service account issuers. + format: date-time + type: string + name: + description: name is the name of the service account issuer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..ef5ff90cc9b --- /dev/null +++ b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,323 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: openshiftapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: OpenShiftAPIServer + listKind: OpenShiftAPIServerList + plural: openshiftapiservers + singular: openshiftapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + OpenShift API Server. + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status defines the observed status of the OpenShift API Server. + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-Default.crd.yaml b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-Default.crd.yaml new file mode 100644 index 00000000000..04e2b329dd2 --- /dev/null +++ b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-Default.crd.yaml @@ -0,0 +1,214 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: openshiftapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: OpenShiftAPIServer + listKind: OpenShiftAPIServerList + plural: openshiftapiservers + singular: openshiftapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + OpenShift API Server. + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status defines the observed status of the OpenShift API Server. + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..2d4dabe8b6c --- /dev/null +++ b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,323 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: openshiftapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: OpenShiftAPIServer + listKind: OpenShiftAPIServerList + plural: openshiftapiservers + singular: openshiftapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + OpenShift API Server. + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status defines the observed status of the OpenShift API Server. + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers.crd.yaml b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-OKD.crd.yaml similarity index 99% rename from operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers.crd.yaml rename to payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-OKD.crd.yaml index bb9b904fc52..6c0b86e190c 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers.crd.yaml +++ b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-OKD.crd.yaml @@ -6,6 +6,7 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD name: openshiftapiservers.operator.openshift.io spec: group: operator.openshift.io diff --git a/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..3390771e24a --- /dev/null +++ b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,323 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: openshiftapiservers.operator.openshift.io +spec: + group: operator.openshift.io + names: + categories: + - coreoperators + kind: OpenShiftAPIServer + listKind: OpenShiftAPIServerList + plural: openshiftapiservers + singular: openshiftapiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + OpenShiftAPIServer provides information to configure an operator to manage openshift-apiserver. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + OpenShift API Server. + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status defines the observed status of the OpenShift API Server. + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + encryptionStatus: + description: encryptionStatus contains status reports for the KMS + plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health information; + omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the probe + was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..fe68e0cf9ea --- /dev/null +++ b/payload-manifests/crds/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml @@ -0,0 +1,328 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: authentications.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication provides information to configure an operator to manage authentication. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + oauthAPIServer: + description: oauthAPIServer holds status specific only to oauth-apiserver + properties: + encryptionStatus: + description: encryptionStatus contains status reports for the + KMS plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health + information; omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the + probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + latestAvailableRevision: + description: |- + latestAvailableRevision is the latest revision used as suffix of revisioned + secrets like encryption-config. A new revision causes a new deployment of pods. + format: int32 + minimum: 0 + type: integer + type: object + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_50_authentication_01_authentications-Default.crd.yaml b/payload-manifests/crds/0000_50_authentication_01_authentications-Default.crd.yaml new file mode 100644 index 00000000000..49a08abc057 --- /dev/null +++ b/payload-manifests/crds/0000_50_authentication_01_authentications-Default.crd.yaml @@ -0,0 +1,219 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: authentications.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication provides information to configure an operator to manage authentication. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + oauthAPIServer: + description: oauthAPIServer holds status specific only to oauth-apiserver + properties: + latestAvailableRevision: + description: |- + latestAvailableRevision is the latest revision used as suffix of revisioned + secrets like encryption-config. A new revision causes a new deployment of pods. + format: int32 + minimum: 0 + type: integer + type: object + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..57144dd9f4d --- /dev/null +++ b/payload-manifests/crds/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,328 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: authentications.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication provides information to configure an operator to manage authentication. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + oauthAPIServer: + description: oauthAPIServer holds status specific only to oauth-apiserver + properties: + encryptionStatus: + description: encryptionStatus contains status reports for the + KMS plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health + information; omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the + probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + latestAvailableRevision: + description: |- + latestAvailableRevision is the latest revision used as suffix of revisioned + secrets like encryption-config. A new revision causes a new deployment of pods. + format: int32 + minimum: 0 + type: integer + type: object + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_50_authentication_01_authentications.crd.yaml b/payload-manifests/crds/0000_50_authentication_01_authentications-OKD.crd.yaml similarity index 99% rename from payload-manifests/crds/0000_50_authentication_01_authentications.crd.yaml rename to payload-manifests/crds/0000_50_authentication_01_authentications-OKD.crd.yaml index 029c91ac0fb..d12f5239d13 100644 --- a/payload-manifests/crds/0000_50_authentication_01_authentications.crd.yaml +++ b/payload-manifests/crds/0000_50_authentication_01_authentications-OKD.crd.yaml @@ -5,6 +5,7 @@ metadata: api-approved.openshift.io: https://github.com/openshift/api/pull/475 api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD name: authentications.operator.openshift.io spec: group: operator.openshift.io diff --git a/payload-manifests/crds/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..f4ae3a3ba4e --- /dev/null +++ b/payload-manifests/crds/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,328 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/475 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: authentications.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication provides information to configure an operator to manage authentication. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + logLevel: + default: Normal + description: |- + logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for their operands. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + managementState: + description: managementState indicates whether and how the operator + should manage the component + pattern: ^(Managed|Unmanaged|Force|Removed)$ + type: string + observedConfig: + description: |- + observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because + it is an input to the level for the operator + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + operatorLogLevel: + default: Normal + description: |- + operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a + simple way to manage coarse grained logging choices that operators have to interpret for themselves. + + Valid values are: "Normal", "Debug", "Trace", "TraceAll". + Defaults to "Normal". + enum: + - "" + - Normal + - Debug + - Trace + - TraceAll + type: string + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides overrides the final configuration that was computed by the operator. + Red Hat does not support the use of this field. + Misuse of this field could lead to unexpected behavior or conflict with other configuration options. + Seek guidance from the Red Hat support before using this field. + Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + properties: + conditions: + description: conditions is a list of conditions and their status + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + generations: + description: generations are used to determine when an item needs + to be reconciled or has changed in a way that needs a reaction. + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - name + - namespace + - resource + type: object + type: array + x-kubernetes-list-map-keys: + - group + - resource + - namespace + - name + x-kubernetes-list-type: map + latestAvailableRevision: + description: latestAvailableRevision is the deploymentID of the most + recent deployment + format: int32 + type: integer + x-kubernetes-validations: + - message: must only increase + rule: self >= oldSelf + oauthAPIServer: + description: oauthAPIServer holds status specific only to oauth-apiserver + properties: + encryptionStatus: + description: encryptionStatus contains status reports for the + KMS plugin health and its key rotation. + minProperties: 1 + properties: + healthReports: + description: |- + healthReports contains all KMS plugin health reports for this APIServer. + When omitted, no health reports are available. + items: + properties: + detail: + description: detail contains additional error/health + information; omitted when healthy + maxLength: 1024 + minLength: 0 + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This is not a cryptographic key, but a unique representation of the KEK. + maxLength: 1024 + minLength: 0 + type: string + keyId: + description: |- + keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. + This is not a cryptographic key used to encrypt/decrypt any resources. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + lastChecked: + description: lastChecked is a timestamp of when the + probe was last checked. + format: date-time + type: string + nodeName: + description: |- + nodeName is the name of the node this instance of the plugin runs on. + The combination of NodeName/KeyId makes this health report unique. + The value must be at most 512 characters. + maxLength: 512 + minLength: 1 + type: string + status: + description: |- + status contains a health indicator for the respective KMS plugin + The field can have three states: healthy, unhealthy, error. + With error and unhealthy containing additional information in Detail. + enum: + - "" + - healthy + - unhealthy + - error + maxLength: 10 + minLength: 1 + type: string + required: + - keyId + - lastChecked + - nodeName + - status + type: object + maxItems: 100 + minItems: 0 + type: array + keyRotationStatus: + description: |- + keyRotationStatus contains the status of the last three key rotations that were running. + When omitted, no key rotations have been recorded. + The list is limited to the 10 most recent rotation records. + items: + properties: + discoveryTime: + description: |- + discoveryTime contains the time when the operator has detected a change in the status keyId, this + is determined by all nodes agreeing on the same KEKid. + This can be used to give additional time for key convergence or cache invalidation before a migration is started. + When omitted, the KEKId has not been observed from all nodes yet. + format: date-time + type: string + kekId: + description: |- + kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. + This id can change externally and tells OpenShift when to trigger a migration of the configured resources. + maxLength: 1024 + minLength: 1 + type: string + migrationFinishTime: + description: |- + migrationFinishTime contains the time when the storage migration completed successfully. + If this value is unset, but a migrationStartTime is supplied, a migration is currently in progress. + format: date-time + type: string + migrationStartTime: + description: |- + migrationStartTime contains the time when the operator has kicked off a storage migration, triggered by a change + in the KEKid. Will be empty when no migration has been triggered yet + format: date-time + type: string + required: + - kekId + type: object + maxItems: 10 + minItems: 0 + type: array + x-kubernetes-list-type: atomic + type: object + latestAvailableRevision: + description: |- + latestAvailableRevision is the latest revision used as suffix of revisioned + secrets like encryption-config. A new revision causes a new deployment of pods. + format: int32 + minimum: 0 + type: integer + type: object + observedGeneration: + description: observedGeneration is the last generation change you've + dealt with + format: int64 + type: integer + readyReplicas: + description: readyReplicas indicates how many replicas are ready and + at the desired state + format: int32 + type: integer + version: + description: version is the level this availability applies to + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {}